XAgentOSX RAT
The XAgentOSX RAT is a Remote Access Trojan employed by the Sofacy hacker group. Sofacy was already attacking Mac users with a backdoor trojan called Komplex, but the researchers at Palo Alto Networks have discovered that the hackers might use Komplex to deliver the XAgentOSX RAT on the compromised systems due to the expanded functionality of the latter threat.
Upon successful infiltration, the XAgentOSX RAT initiates communication with its Command-and-Control (C2) infrastructure using HTTP POST requests to send data and GET requests to receive commands.
To identify the specific victim, the malware generates a specific value that it names 'agent_id'. The value represents the first four digits acquired through the IOPlatformUUID that is accessed by using IOService. While analyzing the code of XAgentOSX RAT, the cybersecurity researchers found an error made by the hack, when the malware creates an array with strings for the possible locations of its C2 servers at:
http://23.227.196.215/
http://apple-iclods.org/
http://apple-checker.org/
http://apple-uptoday.org/
http://apple-search.info
As you may have noticed, the last string is missing the '/' symbol at its end, which creates issues when the malware attempts to use it.
The XAgentOSX RAT has a Nasty Set of Functions
When the appropriate command is sent to the XAgentOSX RAT, it can initiate any one of the malware's multitudes of invasive functions. The hackers can use the Trojan to gather system information and login credentials, list all running processes and all installed applications and manipulate files - read, executed, download, upload and delete files. The XAgentOSX RAT exploits the CGGetActiveDisplayList, CGDisplayCreateImage, NSImage:initWithCGImage methods to take screenshots that it then uploads to its C2 servers. The malware is equipped with the ability to collect data from Firefox by looking up 'hostname', 'encryptedUsername', and 'encryptedPassword' from the 'logins.json' file.
An interesting addition to this RAT's abilities is the command to check if the compromised device has been used to back up an iPhone or an iPad. There is no doubt that the cybercriminals would then attempt to exfiltrate these files.
And if that wasn't enough, the XAgentOSX RAT also can act as a keylogger. The malware stores the captured keystrokes and, upon reaching a predetermined amount, sends them to its C2 servers by using [logged keystrokes].
