Security researchers at Bitdefender find evidence of X-Agent malware variant for macOS
Thursday February 16, 2017. 02:15 PM , from Power Page
The malware that may have swung the U.S. presidential election could be on its way to a Mac near you.
Security researchers have discovered a macOS malware program that’s likely part of the arsenal used by the Russian cyberespionage group blamed for hacking into the U.S. Democratic National Committee last year.
The group, known under such names as “Fancy Bear”, “Pawn Storm” and “APT28”, has been active for almost a decade and is believed to be the sole user and likely developer of a Trojan program called Sofacy or X-Agent.
X-Agent variants for Windows, Linux, Android, and iOS have been found in the wild in the past, but researchers from Bitdefender have now come across what appears to be the first macOS version of the Trojan.
It’s currently unknown as to how the malware is being distributed, as Bitdefender researchers have only obtained the malware sample and not the full attack change.
Still, it’s that that a macOS malware downloader known as “Komplex”, which was discovered in September, could be involved.
Komplex infected Macs by exploiting a known vulnerability in the MacKeeper antivirus software, according to researchers from Palo Alto Networks who investigated the malware at the time. The vulnerability allowed attackers to execute remote commands on a Mac when users visited specially crafted webpages.
Employees at Palo Alto Networks cited similarities between the Complex downloader and a variant of the Carberp Trojan that APT28 is also known to have used. The command-and-control domain names used by the Trojan had also been associated with APT28’s activity.
The X-Agent variant for MacOS uses very similar domain names as the Komplex Trojan according to Bitdefender. The group also noticed identical project path strings inside the Komplex and X-Agent samples, which suggests that they may have been created by the same author.
As malware, X-Agent can load additional modules. The malware’s functionality allows attackers to probe the system for both hardware and software configurations, grab a list of running processes, execute additional files, get desktop screenshots, and harvest browser passwords. One module is designed to search for and steal iPhone backups stored on Macs, which can contain further sensitive information about the targeted users.
APT28 is presently considered to be among the most sophisticated and successful cyber espionage groups in the world. The group has been credited with an assortment of successful hacks, although its selection of targets has frequently reflected Russia’s geopolitical interests. Security researchers believe that the group is likely tied to the Russian Military Intelligence Service (GRU).
Stay tuned for additional details as they become available.
Feb, Sun 18 - 01:57 CET