Russian Mac malware steals passwords and iPhone backups


Still think your Mac is immune from viruses? Think again.

Just a week after
a new strain of Mac malware was found hidden inside
malicious Microsoft Word macros
, security researchers have
discovered sophisticated new software from Russian hackers that
targets your saved passwords and iPhone backups.

The new Mac
malware was created by APT28, a group blamed for interfering
with last year’s U.S. presidential election by hacking the
Democratic National Committee. It was already infamous prior to
this for its long list of attacks on iOS, Android, Windows and

Now the
group is targeting Macs with a new version of “Xagent,” a
modular backdoor that can be customized to do different things.
Security software company Bitdefender found that this
particular strain is
capable of stealing saved user passwords
and highly
sensitive iOS backups, among other things.

analysis reveals the presence of modules that can probe the
system for hardware and software configurations, grab a list of
running processes and run additional files, as well as get
desktop screenshots and harvest browser passwords,” Bitdefender
writes. “But the most important module, from an
intelligence-gathering perspective, is the one that allows the
operator(s) to exfiltrate iPhone backups stored on a
compromised Mac.”

How APT28’s Xagent Mac malware works

Once the
malware makes its way onto your system, it establishes
communication with a server, then runs different modules that
grab all kinds of information from your Mac.

“Our past
analysis of samples known to be linked to APT28 group shows a
number of similarities between the Sofacy/APT28/Sednit Xagent
component for Windows/Linux and the Mac OS binary that
currently forms the object of our investigation,” writes
Bitdefender. “For once, there is the presence of similar
modules, such as FileSystem, KeyLogger, and RemoteShell, as
well as a similar network module called HttpChanel.”

The good news is this is described as targeted attack malware,
which means you’re unlikely to become a victim of it unless
APT28 hits your system specifically. It’s unlikely you’ll
find it lurking in the wild. And if you’re an average Joe,
you’re probably not an APT28 target.

However, Bitdefender is still analyzing Xagent, so we’ll have
to wait for further information.