The Russian hackers behind the election-season hacking in the United States have added to their bag of tricks: The APT28 group now can target victims running Mac OS X to steal passwords, grab screens and steal iPhone backups stored on the Mac.
According to an analysis by Bitdefender Labs, the group’s unique Xagent payload now has a Mac OSX version. It’s a modular backdoor with advanced cyber-espionage capabilities, and is most likely planted on the system via the Komplex downloader.
“The analysis reveals the presence of modules that can probe the system for hardware and software configurations, grab a list of running processes and run additional files, as well as get desktop screenshots and harvest browser passwords,” researchers noted. “But the most important module, from an intelligence-gathering perspective, is the one that allows the operator(s) to exfiltrate iPhone backups stored on a compromised Mac.”
Bitdefender’s past analysis of samples known to be linked to APT28 group shows a number of similarities between the Sofacy/APT28/Sednit Xagent component for Windows/Linux and the Mac OS binary.
“There is the presence of similar modules, such as FileSystem, KeyLogger and RemoteShell, as well as a similar network module called HttpChanel,” the researchers noted. “Other indicators show that today’s sample also reports to a C&C URL that is identical to the Sofacy/APT28/Sednit Komplex OSX Trojan.”
Forensic evidence recovered from the binary also reveals identical binary strings in both Komplex and Xagent clients. Also, the examination revealed that Komplex is a key tool for the group.
“We conclude…that the Komplex component discovered in September has been exclusively used as a downloader and installer for the Xagent binary,” the researchers added, noting that their investigation is ongoing.