Security researchers have discovered a new type of malware which targets macOS users. The company says that the malware, which it has dubbed Xagent, is capable of stealing passwords, taking screenshots and grabbing iPhone backups stored on the machine.
Once successfully installed, the backdoor checks if a debugger is attached to the process. If it detects one, it terminates itself to prevent execution. Otherwise, it waits for an Internet connection before initiating communication with the C&C servers. After the communication has been established, the payload starts the modules.
Bitdefender says it still can't be absolutely certain of who is behind the malware, but all evidence points in the direction of the APT28 cybercrime group.
"Our past analysis of samples known to be linked to APT28 group shows a number of similarities between the Sofacy/APT28/Sednit Xagent component for Windows/Linux and the Mac OS binary that currently forms the object of our investigation," Bitdefender said.
Bitdefender's analysis reveals the presence of modules that can probe the system for hardware and software configurations, grab a list of running processes and run additional files, as well as get desktop screenshots and harvest browser passwords.
But the most important module, from an intelligence-gathering perspective, is the one that allows the operator(s) to exfiltrate iPhone backups stored on a compromised Mac.
Bitdefender's investigation is ongoing so there is not much the company can say yet.