Kremlin-linked hackers believed to be behind Mac spyware Xagent
iPhone backups can be slurped for Mother Russia, say researchers
Kremlin-linked spies have been blamed for cooking up malware called Xagent, which targets victims running macOS to steal passwords, grab screenshots and exfiltrate iPhone backups stored on the Mac.
Preliminary analysis by security software firm Bitdefender has uncovered links to the APT28 cyber-espionage group, elsewhere identified as a Russian military intelligence (GRU) unit blamed from last year's infamous attack on the US Democratic Party, an earlier attack on the German Bundestag, and many more. The latest malware features the same dropper/downloader and similar command and control centre URLs, as well as the same artefacts hardcoded in the binary files as had been seen in previous strains linked to APT28 (AKA Fancy Bear).
Analysis of Xagent reveals the presence of modules that can probe the system for hardware and software configurations, grab a list of running processes and run additional files, as well as taking desktop screenshots and harvesting browser passwords.
The most important module from an intelligence-gathering perspective is the one that allows the operator(s) to exfiltrate iPhone backups stored on a compromised Mac.
Bitdefender's previous research into APT28 can be found here [PDF]. ®