Russian Hacking Group Turns Their Focus to Macs with New Malware

Media Division | February 15, 2017

According to Bitdefender Labs, the Xagent malware, which had been designed to collect and transmit files from hacked iPhones is has now been targeted toward Macs.  Xagent has been linked to the Russian hacking group, APT28, which is the same group suspected in the Democratic National Convention (DNC) hacks during the 2016 U.S. presidential election.  And while the exact lineage source has not yet been established, Bitdefender believes that the group is also behind the Mac version of Xagent.  The malware is able to steal passwords and iPhone backups, as well as grab screens from Mac OS systems.

How Xagent Operates

Xagent is a very cleverly designed malware in the way that it functions as a backdoor.  The malware is planted on a device by way of the Komplex downloader, and once it is installed, it checks to see if there is a debugger attached to the process.  If it discovers one, it will then terminate itself to prevent execution, and if it does not detect a debugger, it will wait for an internet connection and then initiate communication with command and control (C&C) servers.  These are the servers which send commands to different parts of a botnet.  And once this connection has been established, the payload begins its processes.

APT28 goes by several aliases, including Fancy Bear, Pawn Storm, Sednit, and several others.  The Russian group has been on a malicious rampage, including being suspected of hacking a Ukrainian artillery Site, and the Dutch ministries.  APT28 has allegedly been linked to Russian military intelligence, though Russian government has denied any claims of this.

Protecting Data and Assets from Insidious Threats

With threats like APT28 and Xagent among the cyberscape, it is critical that organizations have proper cyber defenses in place.  Breaches from these types of malicious threat actors can result in extremely detrimental consequences for organizations and individuals.  Unfortunately, adept threats can hide extremely well before they decide to launch their attack upon organizations.  And while this may be the case, implementation of the right systems, such as threat intelligence feeds, allows for these threats to be located and detected before their attacks.  This gives organizations the ability to properly defend from them before they have a chance to launch an assault.  Comprehensive threat intelligence feeds from Massive Alliance give your organization the ability to proactively defend threats.

Massive's Media Division publishes timely news and insights based on current events, trends, and actionable cross-industry expertise.