Palo Alto Networks discovered a backdoor trojan called XAgentOSX that can take screenshots from, examine files stored on, and log keystrokes sent to a macOS computer. XAgentOSX is said to be made by a group called Sofacy that uses the similarly named XAgent to steal information from Windows PCs.
XAgentOSX appears to be related to Komplex, another trojan that targeted computers running the operating system formerly known as OS X, the company said. Komplex was likely used to install XAgentOSX--which has broader capabilities--by the malware's creators. Palo Alto Networks said it found "a loose connection to the attack campaign that Sofacy waged on the Democratic National Committee based on hosting data in both attacks."
So what information can XAgentOSX gather? Palo Alto Networks said that in addition to keylogging, the trojan can also be used to take screenshots or figure out if a Mac has been used to back up an iOS device. The company said in a blog post that digging around for backups is particularly noteworthy:
The ‘showBackupIosFolder’ command is rather interesting, as it allows the threat actors to determine if a compromised system was used to backup an IOS device, such as an iPhone or iPad. We believe this command is used to determine if a mobile device was backed up, and we speculate that the actors would use other commands within XAgent to exfiltrate those files.
Palo Alto Networks' report follows reports that malicious software has become more common on Macs. Apple's computers used to have a reputation of being virus-free, at least among general consumers, but the reality was that hackers were better served by targeting more popular Windows devices. Now it seems that some attackers no longer want to participate in the platform wars--they're going to target people who use either operating system.
Sophos said as much in the 2017 malware forecast released during the RSA Conference:
Though Mac malware is comparatively rare, Macs aren’t magically immune to cybercriminality. [...] Even though Mac users aren’t losing huge amounts of money to ransomware like their Windows counterparts, Mac malware is often technically sneaky and geared towards exfiltrating data or providing covert remote access to thieves -- something that could easily get companies in just as much trouble with regulators as with their customers. [...] The bad guys gained plenty of traction with these attacks, and we expect more of it in 2017.
XAgentOSX certainly appears to be "more of it." Palo Alto Networks said its products have been updated to protect their users from the trojan. For everyone else, this is another reminder that the days of macOS being too high-effort/low-reward for hackers are over.