Happy belated Valentine's Day...your Mac has just been infected by malware!
In the latest compromise to macOS security, researchers have detected a new strain of malware called Xagent that is making the rounds and infecting Macs. Yes, you read that right: Macs are not oblivious to malware.
Xagent is known to log keystrokes, steal passwords, take screenshots, and, most damning of all, detect the presence of iOS backups, which could later be used to exfiltrate sensitive information stored in those backups to threat actors in an effort to further compromise personal data stored on iPhones and iPads.
Believed to the handiwork of APT28, "The same Russian hackers who were linked to the hacking of the US Democratic National Committee have now turned their attention to Apple's Macintosh computers," according to CNET Senior Reporter Shara Tibken (CNET is a sister site of TechRepublic).
A full analysis of Xagent was performed by Bitdefender Labs, Intego, and Palo Alto Networks to highlight how the malware works and what is known thus far, pending further investigation by security researchers.
And yet, at the time of this writing, details pertaining to the infection method and future capabilities of this malware are still not confirmed; as such, the tips to stay safe below are based on industry best practices and what is known about the malware to develop the best chance of minimizing the possibility of infection by Xagent.
Don't let your guard down regarding emails and PDF attachments
A theory of the malware's possible infection vector stems from a trojan named Komplex, which was found in September 2016 to be infecting Macs through a combination of emails sent to specific targets (aka spear phishing) and containing a PDF attachment that held the malicious code that would lead to infecting the system upon opening the PDF.
While this is a common vector for infection for many trojans, it is nonetheless important for users to practice safe internet habits and not open or preview emails from unknown senders, and under no circumstances should you ever open an attachment that is sent to you from someone you don't know.
Install software only from authorized developers
While computers are understandably used to make our lives easier, the software that runs on them interacts with a lot of potentially sensitive data and can be targeted by threat actors or even be designed by them. To minimize this risk, Apple has implemented several technologies throughout the years, such as Gatekeeper and System Integrity Protection (SIP), that serve to allow authorized software developers with verified signatures the right to have their apps installed on macOS and to prevent malware from running by protecting system directories from unauthorized modification by rouge applications.
These technologies come turned on, by default, but can be manually disabled by administrators. Given the threats posed by malware introduced as trojans, setting Gatekeeper to allow software installs by the App Store and identified developers is a safe bet. Safer still, allowing software that comes from the App Store is the best protection.
SEE: Think Apple computers are still malware immune? This new attack proves otherwise (TechRepublic)
Keep macOS and applications up-to-date
System updates and patches to applications are available for every version of macOS over the last decade, and yet, I still find users that run on outdated OS and apps. In this particular case, Xagent does not have enough documentation to certify claims of specific exploits being used to carry out its commands; however, Komplex is believed to have ties to the infection vector used by Xagent, and Komplex is known to use exploit kits to infect hosts so keeping your OS and applications up-to-date offer the greatest protection to common vulnerabilities and exposures (CVE).
Monitor firewall logs
Apple's built-in firewall is better than nothing, but its lack of notifications require users to comb through Console logs to determine if their Mac has been infected and try to communicate with command and control (C&C) servers at any number of domains, most of which are eerily similar to Apple-controlled hosts in an effort to confuse users into thinking the communications are legitimate.
Another solution is to rely on third-party firewall applications, which are typically more robust and offer granular control over network monitoring, including detection and reporting of incoming and outgoing network transmissions to aid in determining whether your Mac is trying to "phone home" to a rogue server or is receiving commands from afar.
Some of the known C&C domains in use with Xagent are:
Install antimalware software
Several major security firms offer antivirus protection, including several free applications that are known to protect against Xagent, and support for scanning email attachments, as well as verifying secure URLs and ransomware protection built right in.
SEE: Malware Protection Policy (Tech Pro Research)
Protect your iOS backups
By default, iOS backs up all user data to your computer and allows you to restore the data, as necessary. With the increase in smartphone and tablet usage, and the reliance on these devices to store ever increasing amounts of sensitive, private data, Apple has allowed users to opt-in to encrypting their backups to add yet another layer of protection to their data on the hard disk.
While encrypting your iOS backup won't necessarily prevent anyone from making a copy of it and digital thieves from taking it off your compromised computer, it will stop them from accessing the contents of the backup, since encryption will effectively scramble the contents, making the data useless to all but those that have the password to decrypt it.
Additionally, if you password protect your iOS backup (which you should), please do not undermine the encryption protection by choosing an easy to guess password that is simple to crack—choose a complex, long password that utilizes multiple key spaces and is unique from all your other passwords in use. Do not store this password in plain text on your computer, phone, and/or sticky note on your desk either. Remember: Do not share your password with anyone, and, if possible, use an encrypted password manager to store the key for added security.
To manually check if your Mac has been compromised by Xagent, go to the following directory paths and verify if these files exist:
If they do, it is a good indicator that your computer may have been infected. You should permanently delete the files immediately, and run a full-system scan with an antivirus scanner to remove any lingering threats detected.
Jesus Vigo is a Network Administrator by day and owner of Mac|Jesus, LLC, specializing in Mac and Windows integration and providing solutions to small- and medium-size businesses. He brings 19 years of experience and multiple certifications from several vendors, including Apple and CompTIA.