Russian hackers alleged to be behind Democratic Party attacks now focusing on MacOS

APT28/Pawn Storm/Fancy Bear Russian hacking group turns its talents to MacOS users

The hacking group alleged to be behind the attacks last year on the networks of the Democratic National Committee (DNC), the governing body of the US Democratic Party, has turned its talents to the well-heeled users of MacOS, according to security company Bitdefender.

The group, which has been referred to by a variety of different names, including Fancy Bear (by CrowdStrike), Pawn Storm (Trend Micro) and APT28 (FireEye), is said to be targeting macOS users with a new version of the X-Agent trojan, which has long wreaked havoc on Windows, Linux, Android and iOS devices.

"Our past analysis of samples known to be linked to APT28 group shows a number of similarities between the Sofacy/APT28/Sednit Xagent component for Windows/Linux and the Mac OS binary that currently forms the object of our investigation," Bitdefender researchers claimed.

"For once, there is the presence of similar modules, such as FileSystem, KeyLogger, and RemoteShell, as well as a similar network module called HttpChanel."

According to the security firm, this is the first version of X-Agent to hit Apple's desktop OS, and while it's not entirely clear how the malware is being distributed, it's likely a macOS malware called Komplex, which exploits a vulnerability in the virus-like MacKeeper software, is involved.

The X-Agent malware works like its Windows counterpart and can steal passwords, grab screenshots, and exfiltrate backups of iPhones stored the compromised Mac, as well as execute other malicious code on infected machines through the creation of backdoor.

"Once successfully installed, the backdoor checks if a debugger is attached to the process. If it detects one, it terminates itself to prevent execution. Otherwise, it waits for an Internet connection before initiating communication with the C&C (control and command) servers. After the communication has been established, the payload starts the modules," Bitdefender explains.

It has been believed the APT28 hacker group responsible has been active at least since 2007 and has close ties with Russian government.

Just last week it was revealed that macOS users were being infected with malware via a rogue Word document.