Researchers at Bitdefender concluded the link when they discovered “a number of similarities” between the Mac-native variant and previous Windows/Linux samples that have been previously tied to APT28. Additionally, the Xagent Mac-variant’s command-and-control addresses echo another piece of APT28-linked malware: Komplex, a so-called Trojan virus that can simlarly attack Mac machines.
According to Bitdefender, the code could allow attackers to probe hardware and software configurations, run additional files, and steal desktop screenshots and passwords. Most worryingly, the Mac-native Xagent backdoor can allow a hacker to swipe the iPhone backups stored on a Mac’s hard drive. While Bitdefender’s security team doesn’t have a clear of how a machine could become infected, they theorized that an attack could be carried out through a hole in the MacKeeper antivirus kit — a method used by Komplex, according to Engadget.
It’s important to note that APT28, which is also known as Fancy Bear or Strontium, is the allegedly Russian state-sponsored group that was reportedly responsible for penetrating the computer networks of the Democratic National Committee during the campaign cycle, according to the Washington Post. In that hacking, the attackers were able to access and read the DNC’s email and chat logs. Cybersecurity firm CrowdStrike has said that they believe “with medium confidence” that APT28 has ties to Russia’s military intelligence agency.
State-backed or not, this new malware’s capabilities are still worrying. Luckily, it’s not impossible to defend a Mac against Xagent. In a comment, Bitdefender said that their antivirus software can detect and block the backdoor — by that logic, it’s possible that other updated AV platforms could too.
Details are currently scarce, but Bitdefender said that a more flushed-out forensic report is currently in the works. In the meantime, if you’re worried about being attacked by Russian hackers, it might be a good idea to look into those antivirus options — and encrypt your iPhone backups.