XAgent: APT28 cyber espionage on macOS

Presented at VB2017, Oct. 4, 2017, 4:30 p.m. (30 minutes)

Historically, machines running the *macOS* have been much less prone to various types of malware attacks than *Windows* machines. Of course, this is largely due to the fact that, on account of its dominant market share, *Windows *has long been a much more appealing target for hackers. But in recent years, as *Apple'*s share of the PC market has grown, malware specifically targeting *Apple'*s *Mac* platform has slowly but surely begun to increase. In the process, the types of malware attacks targeting *Macs* have also became far more insidious and, at times, sophisticated. Targeted attacks are usually deployed to interfere with the operation of specific entities. In order to get the job done, the attackers keep under the radar for a considerable period of time, operating unrestricted in the victim's environment. The pieces of malware are usually custom-made with just enough features to help them carry out the attacks for which they have been designed. Attacks such as those persistently carried out by the APT28 group (also known as Fancy Bear) target multiple individuals in multiple organizations running a wide range of hardware and software configurations. This cyber espionage group is known to have Russian origins. Some security vendors say it is associated with a Russian military intelligence agency. Likely operating since the mid-2000s, APT28's methods are consistent with the capabilities of nation-state actors. The threat group is known to target government, military, and security organizations, especially Transcaucasian and NATO-aligned states. APT28 is thought to have been responsible for cyber attacks on the German parliament, the French television station *TV5Monde*, the White House, NATO, the Democratic National Committee, and the Organization for Security and Co-operation in Europe. Late last year a security company discovered the first *macOS* component related to APT28, known as Komplex, which targets individuals in the aerospace industry running the *OS X* operating system. The main functionality of this component was to download and run another component that, at the time, remained a mystery. We believe that we have found this component: XAgent Backdoor. This paper provides an in-depth analysis of the *macOS* version of the APT28 component known as XAgent. We will dissect the backdoor's components featuring various espionage functionalities, such as key-logging, screen-grabbing and file exfiltration. Until now this component has only existed for *Windows*, *Linux* and *iOS* operating systems. Though you might expect the *Mac* version of XAgent to simply be the *iOS* version compiled to work on *Mac*, it is actually a different creation that brings with it more spying capabilities, such as stealing *iOS* backups from *Mac* computers, which contain messages, contacts, voicemail, call history, notes, calendar and *Safari* data.

Presenters:

• Tiberius Axinte - Bitdefender
  Tiberius Axinte Tiberius Axinte is a tech-lead in the Antimalware Lab - R&D, at Bitdefender, leading the macOS/iOS detection team. He has been working in the security industry for more than seven years.

Links:

• https://www.virusbulletin.com/conference/vb2017/abstracts/xagent-apt28-cyber-espionage-macos

Similar Presentations:

• Objective by the Sea version 4.0 (2021) / n-1 and n-2: Should we really trust in you?
• 31C3 (2014) / The Invisible Committee Returns with "Fuck Off Google": Cybernetics, Anti-Terrorism, and the ongoing case against the Tarnac 10
• VB2017 / Inside Netrepser - a JavaScript-based targeted attack