Apple pushes silent update to XProtect from XAgent and MacDownloader, but forgets Flash

Apple pushed out a silent update to the XProtect security data files yesterday, 18 February 2017, which should apply to both Sierra and El Capitan.

This adds protection from OSX.XAgent.A, OSX.iKitten.A, and OSX.Proton.A.

XAgent or XAgentOSX is a recently-reported backdoor Trojan which appears to have been installed in targeted attacks by the Sofacy group (Russian). PaloAlto Networks has been particularly active in researching this, and has reported its findings here. Bitdefender Labs reported their analysis here, and Patrick Wardle’s detailed findings are presented here.

iKitten is ‘deep’ spyware which has also appeared in some targeted attacks, and is better known as MacDownloader. It too has been associated with state-related actors, in this case in Iran. It is detailed here, and by Malwarebytes Labs here.

Neither XAgent nor MacDownloader seem to have become more generally available, and appear still to be used in targeted attacks as part of specific intrusions. However there is always the risk to other Mac systems, which should now be protected properly against them.

Interestingly, the minimum requirement for Adobe Flash Player remains set at version, which was released in late October 2016, although the current version available from Adobe is now If you still have Flash installed, I recommend that you check that you are running that latest version, as it has a lot of important security fixes. Currently XProtect will not ensure that you are using a recent release of Flash, which could leave you vulnerable.