Xagent Mac Malware

Xagent is the name of a piece of malware that can infect computers running MacOS, among other devices and operating systems. The malware is believed to have links to the threat actor group collectively known as Fancy Bear or APT28 - an entity operating out of Russia that some believe is backed by the Russian military intelligence agency.

The malware was not always intended to target Mac computers. According to security researchers, Xagent's origins can be traced back to a piece of malware that was tailor-made to infect the software running on Ukrainian artillery howitzers.

An earlier version of the Xagent source code was obtained by security researchers back in 2015 and an extensive analysis was published. However, the Mac version of the malware is a little different.

Xagent that affects Macs is distributed through the Komplex downloader and is also sometimes referred to as XAgentOSX - a mash-up of the Windows Xagent malware's name and OS X - the name of Apple's OS prior to 2016.

The Mac version of Xagent can receive commands from its operators using command and control servers. Additionally, the malware kas a keylogger module and can record keystrokes on the compromised machine.

There is a wide range of commands that the command and control server can feed into the malware on the infected system. Those include commands to collect information about currently running processes, username and OS version.

Additionally, Xagent can check if the compromised computer has a backup of a mobile iOS device on its storage. The malware can also download additional files from specified locations. Once a file has been downloaded, the C2 server can also execute it using a different command. Finally, the malware can also create an exhaustive list of all files found on the target system and take screenshots at set intervals of time.

When analyzed by security company Palo Alto Networks, the malware was found to contact the following C2 servers:

23.227.196[.]215

apple-iclods[.]org

apple-checker[.]org

apple-uptoday[.]org

apple-search[.]info

The researchers also believed that the actors operating both Windows and Mac versions of the Xagent malware have set up a centralized command and control infrastructure, which allows them to control devices running both operating systems using the same servers and methods.

Xagent is significantly more dangerous than the common garden variety browser hijacker that is commonly associated with the words "Mac malware". Luckily for regular home users, it is primarily used in highly targeted attacks and is not distributed in malicious spam email campaigns that have much greater reach.

May 24, 2021