Security experts at BitDefender have discovered a MAC OS malware program that’s likely part of the arsenal of the dreaded Russian APT 28 group (aka Pawn Storm , Sednit, Sofacy Fancy Bear and Tsar Team). The Russian nation-state actor was involved in the cyber attacks against the U.S. Democratic National Committee during 2016 Presidential election

The researchers believe the group has developed a malware called Sofacy or X-Agent that was associated only with its espionage campaigns.

The experts observed several strains of the X-Agent specifically designed to compromise Windows, Linux, iOS and Android OSs.

Now researchers at Bitdefender have spotted the first version of the X-Agent that was developed to compromise MAC OS systems.

The security firm hasn’t revealed how it has discovered the MAC OS version of the X-Agent, and currently, there is no information on the attack chain.

“APT 28 operators have upped their game – the Xagent payload now can target victims running Mac OS X to steal passwords, grab screens and steal iPhone backups stored on the Mac.” reads the analysis published by Bitdefender.

The X-Agent is a modular backdoor that was most likely planted on the target machines via the Komplex downloader.

The X-Agent malware is able to load additional modules, it could be used as backdoor or to perform a reconnaissance on the target system by gathering information of hardware and software components of the target host.

In September 2016, Palo Alto researcher Ryan Olson, discovered that Fancy Bear used the Komplex trojan to target organizations in the aerospace sector that were using the MacKeeper antivirus software.

““The Sofacy group, also known as APT28, Pawn Storm, Fancy Bear, and Sednit, continues to add to the variety of tools they use in attacks; in this case, targeting individuals in the aerospace industry running the OS X operating system. During our analysis, we determined that Komplex was used in a previous attack campaign targeting individuals running OS X that exploited a vulnerability in the MacKeeper antivirus application to deliver Komplex as a payload.” reads the analysis published by PaloAlto in September 2016. “Komplex shares a significant amount of functionality and traits with another tool used by Sofacy – the Carberp variant that Sofacy had used in previous attack campaigns on systems running Windows. In addition to shared code and functionality, we also discovered Komplex command and control (C2) domains that overlapped with previously identified phishing campaign infrastructures associated with the Sofacy group.””

The Komplex malware has numerous similarities with the Carberp trojan, it was improved to gain access on PC and OS X systems and use the same command-and-control server.

The researchers noticed that Komplex’s C2 domain appleupdate[.]org was not used in the past by the group, while both the apple-iclouds[.]net and itunes-helper[.]net domains have direct ties to the activity of the APT 28.

The new MAC OS X-Agent leverages domain names similar to the one used by Komplex Trojan, they only differ for the TLD. The researchers noticed identical project path strings inside both the Komplex and X-Agent samples, a circumstance that suggests the involvement of the same development team.

“Other indicators show that today’s sample also reports to a C&C URL that is identical to the Sofacy/APT28/Sednit Komplex OSX Trojan, minus the TLD (apple-[*******].net for Komplex vs apple-[*******].org for Xagent).” states Bitdefender.

Summarizing, the Komplex component discovered in September 2016 has been exclusively used as a downloader and installer for the X-Agent binary.

The investigation is ongoing … stay tuned!

Pierluigi Paganini

(Security Affairs – X-Agent, APT 28 )