Russian hackers believed to be behind the attacks on the hacks that hit the Democratic National Committee (DNC) last year have created a new tool that could be used to target macOS users.
The group, which goes by various names including Fancy Bear, Pawn Storm and APT28, is said to be targeting macOS users with a new version of the X-Agent Trojan, which has in the past been used against Windows, Linux, Android and iOS devices.
"Our past analysis of samples known to be linked to APT28 group shows a number of similarities between the Sofacy/APT28/Sednit Xagent component for Windows/Linux and the Mac OS binary that currently forms the object of our investigation," Bitdefender researchers wrote.
"For once, there is the presence of similar modules, such as FileSystem, KeyLogger, and RemoteShell, as well as a similar network module called HttpChanel."
According to the security firm, this is the first version of X-Agent to hit Apple's desktop OS, and while it's not entirely clear how the malware is being distributed, it's likely a macOS malware called Komplex, which exploits a vulnerability in the virus-like MacKeeper software, is involved.
The X-Agent malware works like its Windows counterpart and can steal passwords, grab screenshots, and exfiltrate backups of iPhones stored the compromised Mac, as well as execute other malicious code on infected machines through the creation of backdoor.
"Once successfully installed, the backdoor checks if a debugger is attached to the process. If it detects one, it terminates itself to prevent execution. Otherwise, it waits for an Internet connection before initiating communication with the C&C (control and command) servers. After the communication has been established, the payload starts the modules," Bitdefender explains.
It has been believed the APT28 hacker group responsible has been active at least since 2007 and has close ties with Russian government.
Just last week it was revealed that macOS users were being infected with malware via a rogue Word document.
A new RSA report urges coders to sign a 'Hippocratic Oath' before embarking on AI programmes.
IT security vendor believes APT33 is working for the Iranian government
Darktrace pushes machine learning to take some of the pressure off of IT and security teams
Google also gets its hands on HTC's IP in a non-exclusive deal