Recently, a new version of Xagent, a malware reportedly created by a Russian hacking group which is accused of interfering with last year’s presidential election, has been discovered, and this version simply targets Mac users.
This New Mac Malware Steals Passwords, Screenshots, iPhone Backups
MacOS is one of the safest systems today, but that does not mean it is not vulnerable.
According to some information, the Russian hacking group APT28, which is responsible for developing a wide range of penetration tools for Windows, Linux, iOS, and Android, has now created a tool capable of stealing passwords, taking screenshots on Macs and even to steal backups of iPhones.
Baptized Xagent, this new malware is apparently powerful and can steal almost everything on Macs. Evaluating the BitDefender report, we found that this malware was built on a modular basis, which leads us to conclude that its development is in the long term, thus facilitating the inclusion of new features as well as reading and development by a group of programmers.
The techniques used by malware to avoid reverse engineering (anti-debugging mode), communication with C & C as well as data exfiltration are far from being the novelty in this world. In recent years, these techniques have been used for many different families and variants of malicious code and have proven to be highly effective. Hence this type of malware is detected only after several months/years of activity.
What can this malware do?
As mentioned, this malware can have the ability to steal everything that is inside a Mac: passwords, take screenshots and even get backups of iPhones. Once this information is subtracted, it can be easily transferred over the Internet to a remote machine.
How are systems get infected?
Information on the infection techniques used is not yet very clear. However, according to BitDefender itself, Komplex software (a MacKeeper style) may be one of those responsible. As a primary form of protection, the user should only download applications from the Mac App Store, avoiding sites and developers not affected by the Apple app store.