Researchers at Bitdefender Labs found a sample of a Mac-native version of the malware linked to Russian threat group APT28, the government-linked hackers who took down the DNC. It allows them to obtain passwords, capture screenshots, and even steal iPhone backups stored on an infected Mac.
“The analysis reveals the presence of modules that can probe the system for hardware and software configurations, grab a list of running processes and run additional files, as well as get desktop screenshots and harvest browser passwords,” the Bitdefender Labs report reads. “The most important module, from an intelligence-gathering perspective, is the one that allows the operator(s) to infiltrate iPhone backups stored on a compromised Mac.”
The research group believes this discovery in Mac is linked to the APT28 group because of similarities in the Xagent malware agent found in the Windows/Linux attack. It says the presence of similar modules, like FileSystem, KeyLogger, and RemoteShell, also suggests the malware comes from the same group.
It also said the malware reports to the same command-and-control URL used by APT28 for its other ‘Komplex’ malware tool.
We don’t know much else about the malicious software. Bitdefender Labs is still analyzing the modules it found in the malware and plans to release a full report soon.
In the meantime, do yourself a favor and install some antivirus software.