by Matt Haring

The group behind one of the largest cyberespionage campaigns in history has been targeting Mac users with malware designed to steal passwords, take screenshots, and steal backed-up iPhone data.

This malware, discovered by cyber security researchers, is thought to be linked to the APT28 group, which was accused of interfering in the United States presidential election.

Once successfully installed on a Mac system, the backdoor will check for a debugger, and will terminate itself if one is found. In all other instances, the malware waits for an internet connection before initiating communication with a control server which impersonates an Apple domain.

Once connected, the payload builds two threads of communication, with one sending information to the control server while the other is used to get commands from your device.

Xagent is also capable of stealing iPhone backups stored on a compromised Mac, an action which opens up even more capabilities for conducting cyberespionage, providing the perpetrators with access to additional files and potentially confidential or sensitive data the user may store on their device.

Evidence suggests that the Mac OS binary behind Xagent shares identical strings to the Komplex downloader, previously used by the APT 28 group. These files are known to live in the following file paths on your machine.

“Users/kazak/Desktop/Project/komplex” (Komplex virus)

“Users/kazak/Desktop/Project/XagentOSX” (Xagent virus)

While the malware, and potentially those behind it, have been identified, it’s still unknown which specific organizations are being targeted with this latest form of cyberespionage. In addition to being suspected of attempted interference with the US election, The APT 28 group has also stolen medical files belonging to Olympic athletes after hacking the World Anti-Doping Agency.

Your best defense against this attack, and others like it is up-to-date anti-virus software. RCG utilizes such software known as Webroot, which is aware of the malicious files associated with this virus and others like it, and already has security measures in place. Investigation is on-going, and we will update you as more information is discovered.