What is Xagent and how to remove it from Mac?

What is Xagent?

Xagent is the work of a cyber criminal organization, known as APT28 (also known as Fancy Bear, Pawn Storm, Sofacy Group, Sednit and STRONTIUM), which has, with some level of official certainty, the official backing of the Russian government.

Active since 2004, Fancy Bear, is allegedly responsible for attacks on the Democratic National Committee, German parliament, NATO, European security organizations, French television stations, and even the White House. Make no mistake, this is a sophisticated, highly funded operation, capable of causing serious cyber damage across the world.

Numerous cybersecurity companies, the British Foreign & Commonwealth Office (FCO) and the United States Special Counsel - in an ongoing probe identifying Russian involvement in the US 2016 presidential elections - have noted that this group is either sponsored by the GRU (Russia’s main intelligence agency) - or consists of at least two GRU cyber units, known as Unit 26165 and Unit 74455. Alongside more high-profile attacks, Fancy Bear consistently attacks organizations and governments, journalists and media companies in countries near to Russia, including those aligned with NATO and the European Union.

As part of these attacks, numerous malicious pieces of malware have been unleashed online. Some of them are targeting Russian enemies. Others get loose in the wild as part of an ongoing cyber attack and adapted by other cybercriminals for malicious aims.

Xagent is one piece of malware that is now roaming around online. Although it appears to have been used, or even created for an attack on Ukrainian officers apps that were designed to control the D-30 Howitzer artillery. According to initial reports, Xagent spyware took control of targeting systems, causing the destruction of 80% of Ukrainian D-30 Howitzers. That later proved incorrect, with the International Institute for Strategic Studies (IISS) confirming that malware infections resulted in a loss of 15-20% of the D-30 Howitzers.

Is it a threat to macOS devices?

If Xagent was created for Android apps in 2014, to attack the Ukrainian military, it was later modified to attack Windows and macOS devices.

It is known to get into Mac and other devices through the downloader Komplex, with sophisticated methods that encourage people to download seemingly legitimate software. Within this, Xagent is bundled within the software packages. Included in those executables is a program known as C2furtively, which reads and understands the hardware, software and apps someone uses in order to exploit those weaknesses as part of the data breach.

Once downloaded and when Xagent understands the systems, it harvests every useful piece of information it can find. From screenshots and keystrokes to passwords and iPhone backups, Xagent takes anything it can get and sends it all to the command-and-control (C&C) server.

Comparable to other viruses this sophisticated, most people with the Xagent malware won't be aware of it. Fancy Bear is not known for making attacks obvious, and that includes the software used in the attacks. However, it is possible to remove Xagent, either manually or with the help of software.

Removing Xagent manually

Finding out and removing Xagent is something that can be done manually. But take care to follow these steps exactly and only take applications to trash that you’re sure are not part of another program that you need.

  1. Open the Utilities folder.
  2. Locate and click on Activity Monitor (you can also do this through Spotlight Search or Siri).
  3. Within Activity Monitor, locate Xagent - or anything else that looks suspicious.
  4. Select the suspicious application and click Quit Process.
  5. Select Force Quit if it won’t close straight away.
  6. Now go to Applications.
  7. Search for the same application(s).
  8. Next, move these to the Trash.
  9. Empty the Trash.
  10. And finally, within System Preferences, remove anything that looks suspicious from the Login items menu.

As we’ve outlined above, Xagent does not originate from your average cyber criminal setup. A manual removal is unfortunately not guaranteed to clear out every backdoor that it has created. It also means you run the risk of deleting an application you actually need. Instead, removing it safely and quickly, using an app you can trust - such as CleanMyMac X - often proves more effective.

How to remove Xagent safely

CleanMyMac X is a powerful adware, spyware, malware and trojan virus removal tool.

It is also an essential tool for improving the overall performance of your Mac. On average, users find they get back 62GB of space, ensuring that their devices run faster and smoother.

To remove a spyware virus this way, all you need to do is:

  1. Download CleanMyMac X (a free trial version is available).
  2. Open the app.
  3. Choose Malware Removal.
  4. Click Scan to scan for infections.
  5. Click Remove to approve the deletion.

Xagent is malicious and dangerous. Created to attack an enemy military in a conflict that has sparked international outrage, this is not your typical spyware. Scanning for it and removing it is essential for keeping your Mac safe.

Laptop with CleanMyMac
CleanMyMac X

Your Mac. As good as new.