Macs are officially no longer immune to XAgent, a backdoor malware linked to the Russian threat group APT 28, as researchers have now discovered a version targeting machines running on macOS (OS X).
Last week, Bitdefender and Palo Alto Networks were the first to report the discovery of the variant XAgentOSX, whose functionality appears to include stealing passwords, keylogging, capturing screen grabs and even exfiltrating backups of stored iPhone files.
Researchers have determined that XAgentOSX is likely distributed through the trojan downloader malware Komplex, which is also associated with APT 28, the group deemed responsible for hacking the Democratic National Committee (also known as Fancy Bear, Pawn Storm, Sednit, Sofacy, Strontium and Tsar Team).
Other XAgentOSX commands including swiping Firefox browser passwords; probing for hardware and software configurations; accumulating a list of running processes; and downloading, executing and deleting files. But researchers placed particular emphasis on XAgentOSX's ability to determine if an iOS device was backed up on the compromised system by checking the iTunes default back-up directory. In a company blog post, Bitdefender noted that this functionality was significant "from an intelligence-gathering perspective," because actors can then use other XAgent commands to steal these back-ups.
"By default, iTunes does not encrypt back-up files, so the actors could use XAgent OSX to steal files from the back-up if the user backs up their iOS devices to the compromised system and does not choose the encrypted back-up setting," said Robert Falcone, an analyst with Palo Alto's Unit 42 threat intelligence team, in an email interview with SC Media.
Falcone also said that this specific command appears to be unique to XAgent's Mac variant, although it's possible such functionality has gone undetected in other versions due to visibility issues. (Falcone did note that prior versions of XAgent have had "the ability to interact with the file system, which would allow an actor to list the contents of any folder of interest, including those storing iOS device backups.")
According to researchers, the Mac backdoor checks for debuggers after installation,and will terminate itself upon detecting one. Assuming it survives this process, XAgentOSX uses HTTP POST requests to send encrypted data to its command-and-control server and GET requests to receive communications back. (Most of the C&C URLs impersonate Apple-related domains.)
Reportedly, XAgentOSX shares C&C infrastructure with both its Windows version and the Komplex downloader, and also contains binary strings that are identical to those found in Komplex. "Also, while we lack attack telemetry, we were able to find a loose connection to the attack campaign that Sofacy waged on the Democratic National Committee based on hosting data in both attacks," Palo Alto reported in its own blog post, authored by Falcone.