Xagent

Malware updated 6 months ago (2024-05-05T06:17:36.646Z)
Download STIX
Preview STIX
XAgent is a sophisticated malware developed by the Sofacy group, also known as APT28 or Fancy Bear. This malicious software was added to the group's arsenal in 2013, alongside other backdoors and tools such as CORESHELL, SPLM (also known as Xagent or CHOPSTICK), JHUHUGIT, AZZY, and others. XAgent is designed to exploit and damage computer systems, often infiltrating without the user's knowledge via suspicious downloads, emails, or websites. Once inside, it can steal personal information, disrupt operations, or even hold data hostage for ransom. The macOS variant of XAgent demonstrates a high level of complexity. It communicates with its command and control (C2) servers using HTTP requests, enabling the threat actor to interact with the compromised system. This version of XAgent has the ability to receive commands from threat actors via its C2 channel and possesses keylogger functionality, logging keystrokes by calling the CGEventTapCreate function. This allows the malware to capture credentials as they are typed by the user. Furthermore, XAgent uses the same name for both its macOS-based tool and one of its Windows-based tools, demonstrating a consistency in naming conventions across platforms. In addition to these features, XAgent generates a unique "agent_id" for each compromised host, which it uses when constructing URLs for HTTP POST and GET requests. This agent_id value is set as an HTTP parameter within a specific data structure. The malware's C2 server provides commands for the Trojan to run on the compromised system in response to inbound HTTP requests. The selection of parameters from a predefined list during the construction of the C2 URL further illustrates the sophistication and adaptability of the XAgent malware.
Description last updated: 2024-05-05T05:26:02.850Z
Aliases We are not currently tracking any aliases
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Source Document References
Information about the Xagent Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
MITRE
2 years ago
MITRE
2 years ago