Russians Who Hacked DNC Now Targeting Macs

1 minute read
| Editorial

A Russian group that hacked the Democratic National Committee during last year’s presidential election are now targeting Macs, according to security firm Bitedefender Labs (via Macworld). APT28—also known as Sofacy, Sednit APT, and other names—has been developing malware that targets Macs and gives the Russians remote access to those Macs.

Bitedefender published a PDF about APT28 explaining what is known about the group’s identity and operations for those curious about them.

Dramatic interpretation of a hacker plying his trade

Mac Malware

The malware Bitedefender found is a variant of Xagent, or X-Agent, a previously known malware on Windows and Linux. Bitedefender traced similarities in the code that tied the variant to APT28, and said it is being distributed through Komplex installer, a known trojan.

According to the company:

Once successfully installed, the backdoor checks if a debugger is attached to the process. If it detects one, it terminates itself to prevent execution. Otherwise, it waits for an Internet connection before initiating communication with the C&C servers. After the communication has been established, the payload starts the modules.

Our preliminary analysis shows most of the C&C URLs impersonate Apple domains.

Once connected to the C&C, the payload sends a HelloMessage, then spawns two communication threads running in infinite loops. The former uses POST requests to send information to the C&C, while the latter monitors GET requests for commands.

Surveillance

Once installed, the malware can grab a list of running processes and run additional files. It can also grab desktop screenshots and harvest browser passwords.

“But the most important module, from an intelligence-gathering perspective,” the company said, “is the one that allows the operator(s) to exfiltrate iPhone backups stored on a compromised Mac.”

Be Careful

All of which means there’s a nasty bit of malware out there. Don’t install anything from a source you don’t know.

4 Comments Add a comment

  1. LV_Doc

    If I get any emails from my bank, etc., I never follow any links in those emails, nor do I open or download any attachments. I go directly to the bank (etc.) site online and log in. If the message if valid, it’s likely in my inbox on that site. If nothing’s there or I’m just not sure, I initiate a chat and verify that I received a valid email. Sometimes they verify that the email is valid. I’ll then trust it.

Add a Comment

Log in to comment (TMO, Twitter, Facebook) or Register for a TMO Account