A Russian group that hacked the Democratic National Committee during last year’s presidential election are now targeting Macs, according to security firm Bitedefender Labs (via Macworld). APT28—also known as Sofacy, Sednit APT, and other names—has been developing malware that targets Macs and gives the Russians remote access to those Macs.
Bitedefender published a PDF about APT28 explaining what is known about the group’s identity and operations for those curious about them.
The malware Bitedefender found is a variant of Xagent, or X-Agent, a previously known malware on Windows and Linux. Bitedefender traced similarities in the code that tied the variant to APT28, and said it is being distributed through Komplex installer, a known trojan.
According to the company:
Once successfully installed, the backdoor checks if a debugger is attached to the process. If it detects one, it terminates itself to prevent execution. Otherwise, it waits for an Internet connection before initiating communication with the C&C servers. After the communication has been established, the payload starts the modules.
Our preliminary analysis shows most of the C&C URLs impersonate Apple domains.
Once connected to the C&C, the payload sends a HelloMessage, then spawns two communication threads running in infinite loops. The former uses POST requests to send information to the C&C, while the latter monitors GET requests for commands.
Once installed, the malware can grab a list of running processes and run additional files. It can also grab desktop screenshots and harvest browser passwords.
“But the most important module, from an intelligence-gathering perspective,” the company said, “is the one that allows the operator(s) to exfiltrate iPhone backups stored on a compromised Mac.”
All of which means there’s a nasty bit of malware out there. Don’t install anything from a source you don’t know.