XAgent: APT28 cyber espionage on macOS

Wednesday 4 October 16:30 - 17:00, Green room

Tiberius Axinte (Bitdefender)

Historically, machines running the macOS have been much less prone to various types of malware attacks than Windows machines. Of course, this is largely due to the fact that, on account of its dominant market share, Windows has long been a much more appealing target for hackers. But in recent years, as Apple’s share of the PC market has grown, malware specifically targeting Apple’s Mac platform has slowly but surely begun to increase. In the process, the types of malware attacks targeting Macs have also became far more insidious and, at times, sophisticated.


Targeted attacks are usually deployed to interfere with the operation of specific entities. In order to get the job done, the attackers keep under the radar for a considerable period of time, operating unrestricted in the victim's environment. The pieces of malware are usually custom-made with just enough features to help them carry out the attacks for which they have been designed.


Attacks such as those persistently carried out by the APT28 group (also known as Fancy Bear) target multiple individuals in multiple organizations running a wide range of hardware and software configurations. This cyber espionage group is known to have Russian origins. Some security vendors say it is associated with a Russian military intelligence agency. Likely operating since the mid-2000s, APT28's methods are consistent with the capabilities of nation-state actors. The threat group is known to target government, military, and security organizations, especially Transcaucasian and NATO-aligned states. APT28 is thought to have been responsible for cyber attacks on the German parliament, the French television station TV5Monde, the White House, NATO, the Democratic National Committee, and the Organization for Security and Co-operation in Europe.


Late last year a security company discovered the first macOS component related to APT28, known as Komplex, which targets individuals in the aerospace industry running the OS X operating system. The main functionality of this component was to download and run another component that, at the time, remained a mystery. We believe that we have found this component: XAgent Backdoor.


This paper provides an in-depth analysis of the macOS version of the APT28 component known as XAgent. We will dissect the backdoor's components featuring various espionage functionalities, such as key-logging, screen-grabbing and file exfiltration. Until now this component has only existed for Windows, Linux and iOS operating systems. Though you might expect the Mac version of XAgent to simply be the iOS version compiled to work on Mac, it is actually a different creation that brings with it more spying capabilities, such as stealing iOS backups from Mac computers, which contain messages, contacts, voicemail, call history, notes, calendar and Safari data.

 

Click here for more details about the conference