Russian hacking group Fancy Bear, believed to be behind the cyberattack on the Democratic National Committee (DNC) in the run-up to the US presidential elections in 2016, is now broadening its cyber-espionage campaign by spreading a malware to Apple's Macbooks, according to cybersecurity experts.
The Xagent malware that is designed to collect and transmit hacked files from iPhones to servers operated by hackers is now targeting Macbooks, say security researchers at Bitdefender labs. Fancy Bear also known as APT28 is also known for its advanced cyberwarfare tools for penetrating Windows, iOS, Android and Linux devices.
The latest payload is specially designed for victims running Mac OS X to steal passwords, grab screenshots and steal iPhone backups stored on their Macbooks. OS X is the current series of the Unix-based OS developed and marketed by Apple, which means all Macbooks models released in 2016 along with any other Mac on the OS X is vulnerable.
The malware acts as a backdoor that possesses advanced cyber-espionage capabilities and is planted on the system via the Komplex downloader. Once installed the mechanism checks if a debugger is attached to the process and if it detects one, it terminates itself to prevent execution.
In case it does not detect a debugger, the malware waits for an Internet connection before it initiates communication with the command and control (C&C) servers. C&C servers are computers that issue commands to members of a botnet. Once this communication has been established, the payload starts its work.
Bitdefender researchers say the malware is pretty sophisticated and that they do not have a solution to defend Macs from it. However, they do mention that the Komplex downloader seems to be the preferred choice for malware injection.
Fancy Bear – known by various aliases including Pawn Storm, Sofacy Group, Sednit – has allegedly been linked to Russia's military intelligence, which has earned them the tag of "state-sponsored hackers". Although, the government has categorically denied that they are anyway connected to the hacking group. Apart from the infamous DNC hack, the group has been seen as the prime suspect for various other cyber-attacks as the French television TV5Monde hack, WADA hack, Ukranian artillery site hack and the latest February attack on Dutch ministries.