Security researchers at antivirus software company Bitdefender have discovered a new variant of the Xagent malware that targets macOS and acts as a backdoor that can be customized depending on the objectives of an attack. Researchers traced similarities in the code that tied the malware variant to APT28, the hacking group accused of hacking into the U.S. Democratic National Committee last year.
Bitdefender isn't entirely sure how the Mac version of Xagent is being distributed, but says it’s likely planted on the system via a known macOS malware downloader called Komplex. Once installed, the backdoor checks for the presence of a debugger. If it detects one, it terminates itself to prevent execution. Otherwise, it waits for an Internet connection to communicate with the C&C servers.
The Xagent payload includes modules capable of searching a target Mac's system configuration, offloading running processes and executing code. Capabilities include logging passwords, reading files, snapping pictures of screen displays, and stealing iOS backups stored on the compromised Mac.
Bitdefender notes its investigation into Xagent is ongoing. Users are advised to avoid downloading anything that doesn't come from the Mac App Store or a well-known developer.