The Russian APT28 hacking group, which was previously said to be associated with US Presidential Election hacks, has now again come under spotlight as a new Xagent Mac malware purportedly made by the group can reportedly be used to potentially steal passwords, grab screens, and steal iPhone backups that are stored on the Mac.
Cyber-security and antivirus firm Bitdefender, which has defined the Xagent Mac malware as a ‘modular backdoor’, says that it can be customised according to the requirements of the hack, as pointed out in a report by Ars Technica. “The sample we are discussing today has been linked to the Mac OS X version of Xagent component from Sofacy/APT28/Sednit APT. This modular backdoor with advanced cyber-espionage capabilities is most likely planted on the system via the Komplex downloader,” Bitdefender said in its blog post.
Bitdefender’s analysis of the malware has revealed the presence of modules that can investigate the user’s system for hardware and software configurations, grab a list of running processes, and run additional files, the security firm said. The malware can also then get desktop screenshots and harvest browser passwords as well, it added.
“But the most important module, from an intelligence-gathering perspective, is the one that allows the operator(s) to exfiltrate iPhone backups stored on a compromised Mac,” Bitdefender said in its post.
Coming to the connection formed between the malware and APT28, Bitdefender says that there are a number of similarities between the Sofacy/APT28/Sednit Xagent component for Windows/Linux and the new Mac malware that is investigated by the firm.
It has been believed that APT28 hacker group has been active at least since 2007 and has close ties with Russian government, Ars Technica points out. The investigation on the malware is still going on and might reveal some other aspects of the modular backdoor.