Menu
Russian cyberspies blamed for US election hacks are now targeting Macs

Russian cyberspies blamed for US election hacks are now targeting Macs

Security researchers found a macOS version of the X-Agent malware used by the APT28 cyberespionage group

Security researchers have discovered a macOS malware program that's likely part of the arsenal used by the Russian cyberespionage group blamed for hacking into the U.S. Democratic National Committee last year.

The group, which is known in the security industry under different names, including Fancy Bear, Pawn Storm, and APT28, has been operating for almost a decade. It is believed to be the sole user and likely developer of a Trojan program called Sofacy or X-Agent.

X-Agent variants for Windows, Linux, Android, and iOS have been found in the wild in the past, but researchers from Bitdefender have now come across what appears to be the first macOS version of the Trojan.

It's not entirely clear how the malware is being distributed because the Bitdefender researchers only obtained the malware sample, not the full attack chain. However, it's possible a macOS malware downloader dubbed Komplex, found in September, might be involved.

Komplex infected Macs by exploiting a known vulnerability in the MacKeeper antivirus software, according to researchers from Palo Alto Networks who investigated the malware at the time. The vulnerability allowed attackers to execute remote commands on a Mac when users visited specially crafted web pages.

Palo Alto Networks noted similarities between the Komplex downloader and a variant of the Carberp Trojan that APT28 is also known to have used. The command-and-control domain names used by the Trojan had also been associated with APT28's activity.

The new X-Agent macOS version uses very similar domain names to the Komplex Trojan, with only their TLD different, the Bitdefender researchers said. There are also identical project path strings inside both the Komplex and X-Agent samples, suggesting they were created by the same author.

The X-Agent malware can load additional modules, which the Bitdefender researchers are still investigating. So far, they've found functionality that allows attackers to probe the system for hardware and software configurations, grab a list of running processes, execute additional files, get desktop screenshots, and harvest browser passwords. One module is designed to search for and steal iPhone backups stored on Macs, which can contain further sensitive information about the targeted users.

"Our past analysis of samples known to be linked to the APT28 group shows a number of similarities between the Xagent component for Windows/Linux and the macOS binary that currently forms the object of our investigation," the Bitdefender researchers said in a blog post. "For one, there is the presence of similar modules, such as FileSystem, KeyLogger, and RemoteShell, as well as a similar network module called HttpChanel."

APT28 is considered to be one of the most sophisticated and successful cyberespionage groups in the world and it frequently uses zero-day exploits -- exploits for previously unknown vulnerabilities. The group has been blamed for many hacking operations around the world over the years, and its selection of targets has frequently reflected Russia's geopolitical interests. Security researchers believe that the group is likely tied to the Russian Military Intelligence Service (GRU).


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Featured

Slideshows

Meet the leading female front runners of the Kiwi channel

Meet the leading female front runners of the Kiwi channel

Reseller News honoured the leading female front runners of the New Zealand channel at the 2018 Women in ICT Awards (WIICTA) in Auckland. The awards honoured standout individuals across seven categories, spanning Entrepreneur; Innovation; Rising Star; Shining Star; Community; Technical and Achievement.

Meet the leading female front runners of the Kiwi channel
Meet the top performing customer-centric Microsoft channel partners

Meet the top performing customer-centric Microsoft channel partners

Microsoft honoured leading partners across the channel following a year of customer innovation and market growth in New Zealand. The 2018 Microsoft Partner Awards recognised excellence within the context of the end-user, spanning a host of emerging and established providers.

Meet the top performing customer-centric Microsoft channel partners
Reseller News launches new-look Awards at 2018 Judges’ Lunch

Reseller News launches new-look Awards at 2018 Judges’ Lunch

Introducing the Reseller News Innovation Awards, launched to the channel at the 2018 Judges’ Lunch in Auckland. With more than 70 judges now part of the voting panel, the new-look awards will reflect the changing dynamics of the channel, recognising excellence across customer value and innovation - spanning start-ups, partners, distributors and vendors.

Reseller News launches new-look Awards at 2018 Judges’ Lunch
Show Comments