Russian Mac malware steals passwords and iPhone backups

Russian Mac malware steals passwords and iPhone backups


That fancy new Touch Bar could be dead already.
But there's (probably) no need to panic.
Photo: Ste Smith/Cult of Mac

Still think your Mac is immune from viruses? Think again.

Just a week after a new strain of Mac malware was found hidden inside malicious Microsoft Word macros, security researchers have discovered sophisticated new software from Russian hackers that targets your saved passwords and iPhone backups.

The new Mac malware was created by APT28, a group blamed for interfering with last year’s U.S. presidential election by hacking the Democratic National Committee. It was already infamous prior to this for its long list of attacks on iOS, Android, Windows and Linux.

Now the group is targeting Macs with a new version of “Xagent,” a modular backdoor that can be customized to do different things. Security software company Bitdefender found that this particular strain is capable of stealing saved user passwords and highly sensitive iOS backups, among other things.

“The analysis reveals the presence of modules that can probe the system for hardware and software configurations, grab a list of running processes and run additional files, as well as get desktop screenshots and harvest browser passwords,” Bitdefender writes. “But the most important module, from an intelligence-gathering perspective, is the one that allows the operator(s) to exfiltrate iPhone backups stored on a compromised Mac.”

How APT28’s Xagent Mac malware works

Once the malware makes its way onto your system, it establishes communication with a server, then runs different modules that grab all kinds of information from your Mac.

“Our past analysis of samples known to be linked to APT28 group shows a number of similarities between the Sofacy/APT28/Sednit Xagent component for Windows/Linux and the Mac OS binary that currently forms the object of our investigation,” writes Bitdefender. “For once, there is the presence of similar modules, such as FileSystem, KeyLogger, and RemoteShell, as well as a similar network module called HttpChanel.”

The good news is this is described as targeted attack malware, which means you’re unlikely to become a victim of it unless APT28 hits your system specifically. It’s unlikely you’ll find it lurking in the wild. And if you’re an average Joe, you’re probably not an APT28 target.

However, Bitdefender is still analyzing Xagent, so we’ll have to wait for further information.


Daily round-ups or a weekly refresher, straight from Cult of Mac to your inbox.

  • The Weekender

    The week's best Apple news, reviews and how-tos from Cult of Mac, every Saturday morning. Our readers say: "Thank you guys for always posting cool stuff" -- Vaughn Nevins. "Very informative" -- Kenly Xavier.