A new version of Xagent, malware reportedly created by Russian hacking group APT28, has been discovered, and this version targets Mac users.

As outlined in a blog post by antivirus company Bitdefender (via Ars Technica), Xagent has previously been used to infiltrate Windows, iOS, Android, and Linux devices, but now Macs are vulnerable to attack as well. This is the first version of Xagent that's believed to be able to infiltrate Macs.

macbook pros 2015
The Mac version of Xagent is described as a backdoor that can be customized to do things like log passwords, detect system configurations, execute files, take screenshots of the display, and access iOS backups stored on the Mac.

The sample we are discussing today has been linked to the Mac OSX version of Xagent component from Sofacy/APT28/Sednit APT. This modular backdoor with advanced cyber-espionage capabilities is most likely planted on the system via the Komplex downloader.

Once successfully installed, the backdoor checks if a debugger is attached to the process. If it detects one, it terminates itself to prevent execution. Otherwise, it waits for an Internet connection before initiating communication with the C&C servers.

After the communication has been established, the payload starts the modules. Our preliminary analysis shows most of the C&C URLs impersonate Apple domains.

APT28 is the cyberespionage group that has been accused of hacking into the U.S. Democratic National Committee last year and interfering with the 2016 presidential election.

Bitdefender isn't entirely sure how the Mac version of Xagent is being distributed to users, but it could be spread via a macOS malware downloader called Komplex, which exploits a vulnerability in the virus-like MacKeeper software. Research on the malware is ongoing.

Mac users concerned about Xagent should avoid downloading anything that doesn't come from the Mac App Store or a well-known developer.

Note: Due to the political nature of the discussion regarding this topic, the discussion thread is located in our Politics, Religion, Social Issues forum. All forum members and site visitors are welcome to read and follow the thread, but posting is limited to forum members with at least 100 posts.

Top Rated Comments

bluespark Avatar
63 months ago
A malware discussion is political? Everyone should be able to comment on this.
Score: 19 Votes (Like | Disagree)
manu chao Avatar
63 months ago
Maybe it is time that MacKeeper is classified as malware by anti-malware applications ...
Score: 12 Votes (Like | Disagree)
keysofanxiety Avatar
63 months ago
Maybe it is time that MacKeeper is classified as malware by anti-malware applications ...
It is. MalwareBytes deletes it.
Score: 5 Votes (Like | Disagree)
John.B Avatar
63 months ago
Mac users concerned about Xagent should avoid downloading anything that doesn't come from the Mac App Store or a well-known developer.
The attack vector is based on a vulnerability in Mackeeper.

Keep that off your Mac and you'll be fine.
Score: 5 Votes (Like | Disagree)
Kajje Avatar
63 months ago
Installation of that Mackeeper pest should be blocked on firmware level.
Score: 2 Votes (Like | Disagree)
997440 Avatar
63 months ago
More information on this issue from @thomasareed. He's unable to post here because he has less than 100 posts.

He wanted to let us "know that this new "XAgent" variant of Komplex has absolutely no relation to a MacKeeper exploit. The writer has conflated this variant with one specific older variant from 2015. As much as I'd like to be able to blame MacKeeper, that vulnerability was closed in 2015, and there's no indication whatsoever that MacKeeper is in any way involved with the "XAgent" variant."





(Mr. Reed works for Malwarebytes and codes Malwarebytes Anti-Malware for Mac. Prior to this he developed Adware Medic and wrote extensively about security matters, and other Mac matters, at thesafemac((dot))com.)
Score: 2 Votes (Like | Disagree)

Related Stories

iphone holiday

Best Black Friday iPhone Deals Still Available

Friday November 26, 2021 4:58 am PST by
Cellular carriers have always offered big savings on the newest iPhone models in holidays past, and Black Friday 2021 is no different. Right now we're tracking notable offers on the iPhone 13 and iPhone 13 Pro devices from AT&T, Verizon, and T-Mobile. For even more savings, keep an eye on older models like iPhone SE. Note: MacRumors is an affiliate partner with some of these vendors. When you...
airpods family holiday

Best Black Friday AirPods Deals Still Available

Friday November 26, 2021 4:04 am PST by
Black Friday 2021 deals are still going strong, and we're tracking the best deals across Apple's AirPods lineup. Throughout the week we've been sharing the best sales for Apple devices like iPhone, Mac, and iPad, so be sure to follow us on Twitter for all of the latest Black Friday sales Note: MacRumors is an affiliate partner with some of these vendors. When you click a link and make a...
apple mixed reality headset mockup feature purple

Kuo: Apple AR Headset Coming in Late 2022 With Mac-Level Computing Power

Thursday November 25, 2021 8:32 pm PST by
Apple's long-rumored augmented reality (AR) headset project is set to bear its first fruit late next year with the launch of the first device carrying a pair of processors to support its high-end capabilities, according to a new research report from noted analyst Ming-Chi Kuo seen by MacRumors. According to Kuo, the higher-end main processor is said to be similar to the M1 chip Apple...
apple watch cellular holiday

Best Black Friday Apple Watch Deals Still Available

Friday November 26, 2021 4:55 am PST by
The Apple Watch always makes a great gift around the holiday season, and for Black Friday 2021 we're tracking a few solid offers on numerous models of the Apple Watch. In this article, you'll find the best Black Friday sales on the new Apple Watch 7, but the best money-saving discounts will be found on older models like the Apple Watch Series 3 and SE. Note: MacRumors is an affiliate partner...
iPads black friday 20 sale feature

Best Black Friday iPad Deals Still Available

Friday November 26, 2021 4:48 am PST by
Although Black Friday sales began as early as October in 2021, the shopping holiday is now officially underway and we're highlighting the best sales for each of Apple's product lines. In this article, you'll find the best Black Friday sales on iPad Pro and iPad mini. Note: MacRumors is an affiliate partner with some of these vendors. When you click a link and make a purchase, we may receive a...
mac family holiday

Best Black Friday iMac and MacBook Deals Still Available

Friday November 26, 2021 4:29 am PST by
Our Black Friday 2021 coverage continues with the best deals you can find on MacBook Pro, MacBook Air, iMac, and Mac mini today. As with all Black Friday deals, we aren't sure how long any of these will last, and prices are always fluctuating, so if you see something you want, be sure to buy it soon. Note: MacRumors is an affiliate partner with some of these vendors. When you click a link and...
General black friday 20 sale feature

Huge List of Black Friday Deals on iPhone and Mac Cases, Cables, Accessories and Software

Friday November 26, 2021 5:09 am PST by
Black Friday is in full swing today, and in this article we're highlighting some of the best deals that you can find online among popular third-party accessory makers like Twelve South, Nomad, Satechi, and many more. Visit our Black Friday Roundup for a deeper dive into the best sales going on today. Note: MacRumors is an affiliate partner with some of these vendors. When you click a link and...
apple black friday shopping event 2021

Apple's Black Friday Promotion Now Underway in the U.S. and More Countries

Friday November 26, 2021 12:07 am PST by
Apple's annual four-day Black Friday through Cyber Monday shopping event is now underway in the United States and select other countries, with customers able to receive a free Apple gift card with the purchase of select products through November 29. Participating countries include the United States, Canada, Australia, New Zealand, the UK, Ireland, France, Spain, Portugal, Italy, Germany,...