Unit 42, Palo Alto Networks threat intelligence research arm, has reported a sample of a backdoor Trojan that targets individuals running macOS systems – believed to be used by the Sofacy group. The Trojan was discovered as part of ongoing research on Sofacy’s ‘Komplex’ Trojan, first identified by Unit 42 in September 2016.
A new blog post explores how the Trojan, dubbed XAgentOSX by its authors, works and how it is being used by attackers.
For more information, please see the blog here http://researchcenter.paloaltonetworks.com/2017/02/unit42-xagentosx-sofacys-xagent-macos-tool/ , and an extract of the blog is below.
“During our continued research on Sofacy’s Komplex Trojan, we have found a sample of a backdoor Trojan that we believe the Sofacy group uses when targeting individuals running macOS systems. The backdoor Trojan authors have called it XAgentOSX, which shares the name XAgent with one of Sofacy’s Windows-based Trojan and references Apple’s previous name for macOS, OS X. It appears the same actor developed both the Komplex and XAgentOSX tools, based on similarities within the following project paths found within the tools:
XAgent OSX: /Users/kazak/Desktop/Project/XAgentOSX
We believe it is possible that Sofacy uses Komplex to download and install the XAgentOSX tool to use its expanded command set on the compromised system.”