Free Republic
Browse · Search
General/Chat
Topics · Post Article

Skip to comments.

Russian cyberspies blamed for U.S. election hacks are now targeting Macs
Macworld ^ | FEB 14, 2017 10:45 AM PT | By Lucian Constantin

Posted on 02/14/2017 6:28:55 PM PST by Swordmaker

Security researchers found a macOS version of the X-Agent malware used by the APT28 cyberespionage

Security researchers have discovered a macOS malware program that’s likely part of the arsenal used by the Russian cyberespionage group blamed for hacking into the U.S. Democratic National Committee last year.

The group, which is known in the security industry under different names, including Fancy Bear, Pawn Storm, and APT28, has been operating for almost a decade. It is believed to be the sole user and likely developer of a Trojan program called Sofacy or X-Agent.

X-Agent variants for Windows, Linux, Android, and iOS have been found in the wild in the past, but researchers from Bitdefender have now come across what appears to be the first macOS version of the Trojan.

It’s not entirely clear how the malware is being distributed because the Bitdefender researchers only obtained the malware sample, not the full attack chain. However, it’s possible a macOS malware downloader dubbed Komplex, found in September, might be involved.

Komplex infected Macs by exploiting a known vulnerability in the MacKeeper antivirus software, according to researchers from Palo Alto Networks who investigated the malware at the time. The vulnerability allowed attackers to execute remote commands on a Mac when users visited specially crafted webpages.

Palo Alto Networks noted similarities between the Komplex downloader and a variant of the Carberp Trojan that APT28 is also known to have used. The command-and-control domain names used by the Trojan had also been associated with APT28’s activity.

The new X-Agent macOS version uses very similar domain names to the Komplex Trojan, with only their TLD different, the Bitdefender researchers said. There are also identical project path strings inside both the Komplex and X-Agent samples, suggesting they were created by the same author.

The X-Agent malware can load additional modules, which the Bitdefender researchers are still investigating. So far, they’ve found functionality that allows attackers to probe the system for hardware and software configurations, grab a list of running processes, execute additional files, get desktop screenshots, and harvest browser passwords. One module is designed to search for and steal iPhone backups stored on Macs, which can contain further sensitive information about the targeted users.

“Our past analysis of samples known to be linked to the APT28 group shows a number of similarities between the Xagent component for Windows/Linux and the macOS binary that currently forms the object of our investigation,” the Bitdefender researchers said in a blog post. “For one, there is the presence of similar modules, such as FileSystem, KeyLogger, and RemoteShell, as well as a similar network module called HttpChanel.”

APT28 is considered to be one of the most sophisticated and successful cyberespionage groups in the world and it frequently uses zero-day exploits—exploits for previously unknown vulnerabilities. The group has been blamed for many hacking operations around the world over the years, and its selection of targets has frequently reflected Russia’s geopolitical interests. Security researchers believe that the group is likely tied to the Russian Military Intelligence Service (GRU).


TOPICS: Business/Economy; Computers/Internet; Conspiracy
KEYWORDS: apple; applepinglist; fakenews; mac; mackeeper; macs; malware
Please note, this is a TROJAN, you have to accept the download and ignore glaring warnings from the Apple operating systems THREE TIMES which are telling you that you are doing something dangerous to your computer, something industrial strength stupid if you continue. Once when you continue to download it, again when you install it, and finally when you run it for the first time!

Secondly it only works if you were stupid enough to install MacKeeper on your computer, which is malware in and of itself MacKeeper was SUED by 36 Attorney's General two years ago for FRAUD and lost! The trial judge required them to REFUND every penny they had been paid by their customers due to that fraud. DO NOT INSTALL MacKeeper on your Macs! If you have done so, UNINSTALL it immediately!

1 posted on 02/14/2017 6:28:55 PM PST by Swordmaker
[ Post Reply | Private Reply | View Replies]

To: Swordmaker

What election hacks? Evidence or is MacWorld listening to Maxine Waters?


2 posted on 02/14/2017 6:42:10 PM PST by Insigne123
[ Post Reply | Private Reply | To 1 | View Replies]

To: Swordmaker

Big Macs?


3 posted on 02/14/2017 6:44:42 PM PST by McGruff (Drain The Swamp)
[ Post Reply | Private Reply | To 1 | View Replies]

To: McGruff

Macs.

Good, I first thought they were targeting Mars.


4 posted on 02/14/2017 6:53:49 PM PST by Scrambler Bob (Brought to you from Turtle Island, otherwise known as 'So-Called North America')
[ Post Reply | Private Reply | To 3 | View Replies]

To: ~Kim4VRWC's~; 1234; 5thGenTexan; AbolishCSEU; Abundy; Action-America; acoulterfan; AFreeBird; ...
Fake News claiming the Russian hacker who hacked the DNC have now started targeting Macs with a TROJAN that exploits a weakness in MacKeeper software. ROTFLMAO! — PING!


Solve the problem, say "No to MacKeeper!" EVER!
Ping!

The latest Apple/Mac/iOS Pings can be found by searching Keyword "ApplePingList" on FreeRepublic's Search.

If you want on or off the Mac Ping List, Freepmail me

5 posted on 02/14/2017 6:57:31 PM PST by Swordmaker (This tag line is a Microsoft insult free zone... but if the insults to Mac users continue...)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Scrambler Bob

Well, we do have an American flag on Mars. Maxine Waters says it is so.


6 posted on 02/14/2017 7:00:45 PM PST by AFreeBird
[ Post Reply | Private Reply | To 4 | View Replies]

To: Insigne123
What election hacks? Evidence or is MacWorld listening to Maxine Waters?

As I said, "Fake News."

7 posted on 02/14/2017 7:04:45 PM PST by Swordmaker (This tag line is a Microsoft insult free zone... but if the insults to Mac users continue...)
[ Post Reply | Private Reply | To 2 | View Replies]

To: Swordmaker
Thank you so much for keeping us Mac users sane under the bombardment of fake news, a.k.a. FUD.

8 posted on 02/14/2017 7:08:50 PM PST by conservatism_IS_compassion
[ Post Reply | Private Reply | To 5 | View Replies]

To: conservatism_IS_compassion

I would like to think that our geeks are better than theirs. For starters they make more money here.


9 posted on 02/14/2017 7:17:57 PM PST by DIRTYSECRET (urope. Why do they put up with this.)
[ Post Reply | Private Reply | To 8 | View Replies]

To: Nailbiter

mac ping


10 posted on 02/14/2017 7:18:15 PM PST by IncPen (I just found out that PIAPS is a reference to the "Pig In A Pants Suit". Ha! #NeverHillary)
[ Post Reply | Private Reply | To 1 | View Replies]

To: DIRTYSECRET

Our geeks make big money legally. Their geeks probably make much bigger money illegally. You don’t think these virus and trojan authors and operators of botnets are doing their nefarious work for fun?


11 posted on 02/14/2017 7:32:59 PM PST by ProtectOurFreedom
[ Post Reply | Private Reply | To 9 | View Replies]

To: Swordmaker

Thanks for the article bro.


12 posted on 02/14/2017 7:34:24 PM PST by Mark17 (20 Years USAF ATCer, Retired. 25 years CDCR C/O, Retired)
[ Post Reply | Private Reply | To 5 | View Replies]

To: Swordmaker

Do you use Adobe Flash?


13 posted on 02/14/2017 7:53:57 PM PST by tubebender
[ Post Reply | Private Reply | To 1 | View Replies]

To: tubebender

Does THIS answer your question, tubebender?

14 posted on 02/14/2017 8:04:09 PM PST by Swordmaker (This tag line is a Microsoft insult free zone... but if the insults to Mac users continue...)
[ Post Reply | Private Reply | To 13 | View Replies]

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
General/Chat
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson