Cyberespionage on macOS : APT28 The Whole Puzzle

Tiberius Axinte , Technical Leader, Bitdefender

Targeted attacks usually are deployed to interfere with the operation of specific entities. In order to get the job done, the attackers run low under the radar for a considerable period of time, operating unrestricted in the victims’environment. They are usually custom-made with just enough features to help them carry out the attacks they have been designed for.

Attacks such as those persistently carried out by APT28(Fancy Bear, Sednit, Sofacy) target multiple individuals in multiple organizations who run a wide range of hardware and software configurations. This cyber espionage group is known to be have Russian origins. Some security vendors say it is associated with a Russian military intelligence agency.

Likely operating since the mid-2000s, APT28’s methods are consistent with the capabilities of nation-state actors. The threat group is known to target government, military, and security organizations, especially Transcaucasian and NATO-aligned states. APT28 is thought to be responsible for cyber attacks on the German parliament, the French television station TV5Monde, the White House, NATO, the Democratic National Committee, and the Organization for Security and Co-operation in Europe.

Later last year another security company discovered the first macOS component related to APT28, known as Komplex, targeting individuals in the aerospace industry running the OS X operating system. The main functionality of this component was to download and run another component that was a mystery at that time. We think that we found this component known as XAgent Backdoor.

Earlier this year we’ve discovered the last missing piece of the APT28 puzzle on macOS:

XAgent, a modular backdoor with spying capabilities, such as key-logging, screen grabbing and file exfiltration. Until now this component was only available for Windows, Linux and iOS operating systems. Though you might expect this Mac version of XAgent to be the iOS version compiled to work on Mac, it is a different creation that brings more spying capabilities such as stealing iOS backups from Mac computers, which contain messages, contacts, voicemail, call history, notes, calendar and Safari data.

The paper focuses on the in depth analysis of the whole macOS version of the APT28. We will dissect the downloader and backdoor’s components, and present the entire attack vector of this malware on macOS, from a misleading Russian Federal Space Program document to an backdoor implant with more spying capabilities than on the other operating systems like Linux o Windows.

Tiberius Axinte

Tiberius Axinte is a tech-lead in the Antimalware Lab – R&D, at Bitdefender, leading the macOS/iOS detection team.He has been working in the security industry for more than seven years.