The Russian state-sponsored hacker group known as APT28, or Fancy Bear, has reportedly launched a new malware campaign targeting Mac users.
Researchers claim APT28 is targeting Mac OS X devices to steal users’ passwords, take screenshots and extract iPhone backup and software configuration data.
The malware is allegedly a variant of Xagent, which is known to steal credentials and backup data. The new malware is built similarly to previous strains APT28 has used against Windows and Linux users, according to the researchers. The new campaign also uses FileSystem, KeyLogger and RemoteShell modules.
The researchers discovered the command and control (C&C) IP addresses used in the new attacks are linked to a previous malware campaign run by APT28 called Komplex.
Once the attackers distribute the malware onto the OS X, the script scans for security mechanisms. The malware will not proceed with the infection if it determines there are debugging capabilities on the device.
If the malware does not detect a debugger, the malicious software connects to APT28’s C&C as soon as there is an Internet connection. Once the connection is established, the malware begins to deliver the payload, according to the researchers. The malware allegedly displays a message and issues two communication threats that run on infinite loops.
The researchers claim one of the communication threads sends information to the C&C, while the other receives commands.
Mac users should refrain from clicking on links or attachments in emails sent by unknown senders to mitigate against these types of attacks. Users should also ensure their OS X is up-to-date and adopt cybersecurity mechanisms to better protect their data.