XAgent is a sophisticated malware developed by the Sofacy group, also known as APT28 or Fancy Bear. This malicious software was added to the group's arsenal in 2013, alongside other backdoors and tools such as CORESHELL, SPLM (also known as Xagent or CHOPSTICK), JHUHUGIT, AZZY, and others. XAgent is designed to exploit and damage computer systems, often infiltrating without the user's knowledge via suspicious downloads, emails, or websites. Once inside, it can steal personal information, disrupt operations, or even hold data hostage for ransom.
The macOS variant of XAgent demonstrates a high level of complexity. It communicates with its command and control (C2) servers using HTTP requests, enabling the threat actor to interact with the compromised system. This version of XAgent has the ability to receive commands from threat actors via its C2 channel and possesses keylogger functionality, logging keystrokes by calling the CGEventTapCreate function. This allows the malware to capture credentials as they are typed by the user. Furthermore, XAgent uses the same name for both its macOS-based tool and one of its Windows-based tools, demonstrating a consistency in naming conventions across platforms.
In addition to these features, XAgent generates a unique "agent_id" for each compromised host, which it uses when constructing URLs for HTTP POST and GET requests. This agent_id value is set as an HTTP parameter within a specific data structure. The malware's C2 server provides commands for the Trojan to run on the compromised system in response to inbound HTTP requests. The selection of parameters from a predefined list during the construction of the C2 URL further illustrates the sophistication and adaptability of the XAgent malware.
Description last updated: 2024-05-05T05:26:02.850Z