Security vendor Bitdefender has uncovered a new version of the Xagent malware targeting Mac OS X. This new version of Xagent is believed to be linked to the APT28/Sofacy/Sednet APT that Bitdefender investigated last year. Xagent is claimed to be stealing passwords, grab screens and exfiltrate iPhone backups stored on Apple Mac’s. The malware is linked to cyber crime groups based in Russia and delivered via the Komplex downloader.
Modular APT allows for replacement/new modules
One of the interesting things about APT28 is its design as a modular malware. This allows modules to be regularly updated or changed to reflect different targets. It also allows the developers to change their code to defeat software designed to detect and block their malware. In this case the changes have come to the Xagent module.
The new module examines the infected machine looking for hardware and software configurations. It then grabs a list of running processes. This allows the malware to identify if it is running in a VM or what security software is on the machine. Other malware has been seen to terminate itself when either of these are detected. It is not clear from Bitdefender if that is the case with Xagent.
As well as grabbing browser passwords and cached credentials, Xagent also takes screenshots. Bitdefender did not identify exactly what is being captured in the screenshots. It is likely that these are related to online banking and financial transactions to defeat multi-factor authentication.
Xagent exfiltrating iPhone backups
Bitdefender claims that the most important new module is the one exfiltrating iPhone backups. It is not known how many users encrypted their local iPhone backups. Encrypted files should be harder for the attackers to unlock. However, it may be that Xagent is harvesting the password for the encrypted backup.
While not called out Bitdefender, it is reasonable to assume that if iPhone backups are being exfiltrated so are iPad backups. For those users and businesses that use iPad as a mobile device this is a serious threat.
More details to follow
At the moment there is a lot of information missing from this investigation. There is no list of Indicators of Compromise (IoC) nor is there a list of the Command and Control (C&C) servers used by Xagent. What Bitdefender has disclosed is that initial indications are that the C&C servers all pretend to be related to Apple and using the .net and .org TLDs.
Bitdefender says that there is a larger paper in the works and they will release this soon.
Endpoint protection software take-up on Apple Mac is low compared to Windows devices. This is partly due to the lack of malware historically targeting Apple Mac OS X. There is also a degree of user belief that Apple OS X is too hard for hackers to compromise. Over the last two years this has proven to be a mistaken belief and malware targeting Apple OS X has been on the rise.