XAgent: APT28 cyber espionage on macOS

Wednesday 4 October 16:30 - 17:00, Green room

Tiberius Axinte (Bitdefender)

Historically, machines running the macOS have been much less prone to various types of malware attacks than Windows machines. Of course, this is largely due to the fact that, on account of its dominant market share, Windows has long been a much more appealing target for hackers. But in recent years, as Apple’s share of the PC market has grown, malware specifically targeting Apple’s Mac platform has slowly but surely begun to increase. In the process, the types of malware attacks targeting Macs have also became far more insidious and, at times, sophisticated.

Targeted attacks are usually deployed to interfere with the operation of specific entities. In order to get the job done, the attackers keep under the radar for a considerable period of time, operating unrestricted in the victim's environment. The pieces of malware are usually custom-made with just enough features to help them carry out the attacks for which they have been designed.

Attacks such as those persistently carried out by the APT28 group (also known as Fancy Bear) target multiple individuals in multiple organizations running a wide range of hardware and software configurations. This cyber espionage group is known to have Russian origins. Some security vendors say it is associated with a Russian military intelligence agency. Likely operating since the mid-2000s, APT28's methods are consistent with the capabilities of nation-state actors. The threat group is known to target government, military, and security organizations, especially Transcaucasian and NATO-aligned states. APT28 is thought to have been responsible for cyber attacks on the German parliament, the French television station TV5Monde, the White House, NATO, the Democratic National Committee, and the Organization for Security and Co-operation in Europe.

Late last year a security company discovered the first macOS component related to APT28, known as Komplex, which targets individuals in the aerospace industry running the OS X operating system. The main functionality of this component was to download and run another component that, at the time, remained a mystery. We believe that we have found this component: XAgent Backdoor.

This paper provides an in-depth analysis of the macOS version of the APT28 component known as XAgent. We will dissect the backdoor's components featuring various espionage functionalities, such as key-logging, screen-grabbing and file exfiltration. Until now this component has only existed for Windows, Linux and iOS operating systems. Though you might expect the Mac version of XAgent to simply be the iOS version compiled to work on Mac, it is actually a different creation that brings with it more spying capabilities, such as stealing iOS backups from Mac computers, which contain messages, contacts, voicemail, call history, notes, calendar and Safari data.



Tiberius Axinte

Tiberius Axinte is a tech-lead in the Antimalware Lab - R&D, at Bitdefender, leading the macOS/iOS detection team. He has been working in the security industry for more than seven years.






Other VB2017 papers

Mariachis and jackpotting: ATM malware from Latin America

Thiago Marques (Kaspersky Lab)

Fabio Assolini (Kaspersky Lab)

Of all the forms of attack against financial institutions in the world, the ones that are most likely to combine traditional…

XAgent: APT28 cyber espionage on macOS

Tiberius Axinte (Bitdefender)

This paper provides an in-depth analysis of the macOS version of the APT28 component known as XAgent. We will dissect the…

Walking in your enemy's shadow: when fourth-party collection becomes attribution hell

Juan Andres Guerrero-Saade (Kaspersky Lab)
Costin Raiu (Kaspersky Lab)

Attribution is complicated under the best of circumstances. Sparse attributory indicators and the possibility of overt…

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.