New macOS malware blamed on Russian group behind election hacks


Security researchers have discovered a new form of macOS malware that is believed to have been designed by the same Russian group that was blamed for the hacking of the Democratic National Committee in 2016.

Based on Xagent, code that has previously be used to attack Windows, iOS, Android and Linux devices, the Mac version is a modular backdoor that can be customized depending on the objectives of an attack.

According to a blog post from security firm Bitdefender Labs, the code is most likely distributed by infected files that use the Komplex downloader. Once it has checked for security protocols, it sends back information from the machine to a command and control center. That information can include log passwords and system configurations, allowing the code to execute files, take screenshots of the display and access iOS backups stored on the Mac.

The Russian connection comes via analysis of the code, which Bitdefender claims shares a number of similarities between the APT28 Xagent component for Windows/Linux malware that has been found in the wild previously. APT28, sometimes referred to as Fancy Bear or Pawn Storm, is a decade-old Russian hacking group that is believed to be the sole user and likely developer of the Xagent trojan. According to the security firm FireEye Inc., it is most likely sponsored by the Russian government.

Along with attacking the DNC, APT28 is also claimed to have targeted government, military and security organizations, including a cyberattack on the German parliament, the French television station TV5Monde, the White House, NATO and the Organization for Security and Cooperation in Europe.

The news of potentially new Russian hacking attempts comes on the same day that Microsoft Corp. President Brad Smith called on the world’s governments to come together in a Geneva Convention-style meeting to agree to rules for protecting civilians from government-sponsored cyberattacks.

Image: Pixabay/Public Domain CC0