MacOS machines are no longer immune to malware and are now the new target of attacks by APT28, the same hacking group behind the 2016 elections hack. The Mac Malware can steal a seemingly unlimited amount of data like passwords and iPhone backups.
The Mac Malware is built on Xagent, which is directly linked to APT28. The Mac version acts like a modular backdoor that can be easily customized in order for an intruder to fetch specific information. The malware can steal passwords, iPhone backups and even capture live screenshots.
The newly discovered Mac malware is the latest addition to the substantial list of tools associated with APT28. Other researchers call the hacking tool in various names like Sednit, Sofacy, Pawn Storm and Fancy Bear. It has launched the 2016 elections interference and Xagent on Windows and Linux machines
APT28 has been operating since 2007 according to CrowdStrike researchers. An analysis by BitDefender in 2016 discovered that the hacking group members are Russian in origin because they spoke Russian and operate during Russian business hours. The group was then targeting persons from Russia, Ukraine, Romania, Spain, Canada, and the U.S.
Moreover, the previous investigation of samples lay strength to the claim that APT28 is behind the Mac malware. For one, there are striking similarities between the Sofacy or Xagent in Windows and Linux machines to the MacOS binary. Another is that the file path found in Xagent binary use the same code found in Komplex, the first-stage Trojan that Sofacy has unleashed on targeted machines, Ars Technica reported.
The Mac malware infects the MacOS machines via the Komplex downloader, which then downloads and executes programs to steal vital information. Komplex is generally installed via spear phishing attacks including infected DMG files and other executables. Once connected to the internet, Komplex can now have access to everything researchers from Bitdefender Labs discovered. The Mac malware can fetch passwords, login keys, access list of running processors, take screenshots, index files and duplicate iPhone backups without the knowledge of the user.
The only way to stop the Mac malware is to be vigilant and avoid downloading or executing programs, not from the app store or a credible source. Tight asset control and admin policies complemented by an information campaign can halt potential infection. Not all personal and business MacOS users are susceptible for earliest report indicates that only targeted MacOS machine are vulnerable and the malware does not operate in the wild.