The state-backed Russian group accused of hacking the Democratic National Committee appears to be expanding its repertoire. Bitdefender Labs researchers have obtained a sample of a Mac-native variant of Xagent, the backdoor malware linked to Russia’s APT28 (aka Fancy Bear or Strontium). The code not only allows swiping passwords and capturing screenshots, but includes a module that can swipe iOS device backups created by iTunes. While it’s easy to encrypt those backups, this theoretically gives intruders a chance at snooping on iPhone data without having to compromise the iPhone itself.
As for the evidence? The modules in the Mac variant of Xagent show a “number of similarities” to the components for Linux and Windows, Bitdefenders says. The malware’s command-and-control addresses are also eerily similar to the ones APT28 uses for another malware tool, Komplex.
There’s still a lot left to be uncovered. The security team only has the malware itself, not a full picture of how an attack works — Komplex, which infects Macs through a hole in the notorious MacKeeper antivirus kit, is one possible vector. It’s also unclear what other modules are available. Either way, this isn’t exactly comforting for Mac users who may find themselves in Russia’s crosshairs. It’s possible to protect against Xagent (Bitdefender says its AV software will work, and others likely will too), thankfully. The concern is that Russia might have already used the malware, or that it may target people who are unaware of the threat.
Source: Bitdefender Labs
Engadget RSS Feed
The Android malware Hummingbad has infected 10 million devices so far, but what’s most interesting is where it comes from. First discovered by the security firm Check Point in February, the researchers have tied it to Yingmob, a highly organized Chinese advertising and analytics company that looks like your typical hum-drum ad firm. Once it successfully infects and sets up a rootkit on Android devices (giving it full administrative control), Hummingbad generates as much as $ 300,000 a month through fraudulent app installs and ad clicks. As Check Point describes it, Hummingbad is an example of how malware companies can support themselves independently.
“Emboldened by this independence, Yingmob and groups like it can focus on honing their skill sets to take malware campaigns in entirely new directions, a trend Check Point researchers believe will escalate,” the researchers say. “For example, groups can pool device resources to create powerful botnets, they can create databases of devices to conduct highly-targeted attacks, or they can build new streams of revenue by selling access to devices under their control to the highest bidder.”
On top of its Hummingbad victims, Yingmob controls around 85 million devices globally. Naturally, the company is also able to sell access to the infected devices, along with sensitive information. And while its attack is global, most victims are in China and India, with 1.6 million and 1.3 million infected users, respectively. iPhone users aren’t safe from Yingmob either — researchers have also found that the group is behind the Yispecter iOS malware.
Source: Check Point (1), (2)
Engadget RSS Feed