XAgentOSX Mac malware linked to Russian hacking group

Researchers have discovered and analyzed a new piece of Mac malware that is believed to be used by the Sofacy (aka Fancy Bear, aka Pawn Storm, aka APT28) hacking group.

XAgentOSX

“The backdoor Trojan authors have called it XAgentOSX, which shares the name XAgent with one of Sofacy’s Windows-based Trojan and references Apple’s previous name for macOS, OS X,” Palo Alto Networks researchers have shared.

They have also found project paths within the tool that indicate that the creator of XAgentOSX is the same one that created the Komplex downloader, another tool used by the group.

“We believe it is possible that Sofacy uses Komplex to download and install the XAgentOSX tool to use its expanded command set on the compromised system,” they noted.

“Also, the macOS variant of this tool uses a similar network communications method as its Windows counterpart, which suggests this group continues to use consolidated C2 services to control compromised hosts.”

XAgentOSX can receive commands from the attackers and execute them, it can log keystrokes, take screenshots, gather the target’s username and OSX version used on the machine, list running processes, discover which apps are installed on the machine, check if an iOS device was backed up to the system, upload and download files, execute them or delete them, search for passwords saved through Firefox, and more.

BitDefender researchers have come to much of the same conclusions.

“Our past analysis of samples known to be linked to APT28 group shows a number of similarities between the Sofacy/APT28/Sednit Xagent component for Windows/Linux and the Mac OS binary that currently forms the object of our investigation,” they pointed out. “For once, there is the presence of similar modules, such as FileSystem, KeyLogger and RemoteShell, as well as a similar network module called HttpChanel.”

Sofacy (aka Fancy Bear, aka APT28)

The Sofacy hacking group is believed to consist of members who are either Russian citizens or citizens of a neighboring country that speak Russian.

Other information indicates that they work mainly during Russia business hours.

Also, the targets they’ve hit over the years point to the group’s promotion of Russian national interests: military and intelligence targets, the NATO, the White House and, most recently, networks and endpoints associated with the US election.