XAgentOSX

XAgentOSX, also known as Sofacy's XAgent macOS Tool, is a malicious software (malware) developed by the same actor who created the Komplex tool, according to research conducted by PaloAlto Networks. This malware operates by exploiting and damaging computer systems, often infiltrating them through suspicious downloads, emails, or websites without the user's knowledge. Once inside a system, it can steal personal information, disrupt operations, or even hold data hostage for ransom. The name "XAgentOSX" references Apple's previous name for macOS, OS X, and shares its name with one of Sofacy’s Windows-based Trojans, suggesting a common origin. The operation of XAgentOSX mirrors that of its Windows-based counterpart, with the Command and Control (C2) URLs generated by XAgentOSX being very similar to those created by the Windows version. This similarity implies a shared development background and further supports the theory that the same actor developed both tools. Additionally, the XAgentOSX Trojan includes responses to commands within HTML tags, believed to allow the C2 server to format logs for viewing, adding another layer of complexity and stealth to its operation. PaloAlto Networks has identified that the Sofacy group likely uses the Komplex tool to download and install the XAgentOSX tool onto compromised systems, thereby expanding its command set. The specific XAgentOSX sample analyzed by PaloAlto Networks was configured to use certain IP addresses and domain names as its C2 servers. This discovery provides important insight into how the malware communicates and potentially offers avenues for mitigation and defense against this potent threat.