Komplex is, according to security researchers at Palo Alto Networks, a new Trojan for Mac OS X, which is believed to be linked to the activities of Sofacy (also known as APT28, Pawn Storm, Fancy Bear, and Sednit), a Russian cyber espionage group. Even though no victims have been reported yet, the research team has spotted the malware payload. Moreover, researchers have uncovered that the Trojan has been customized to target people in the aerospace industry.
Komplex Trojan Technical Overview
Three versions of the Trojan are known as far:
- A Komplex version for x64 architecture;
- A Komplex version for x86 architecture;
- And a third version for both architectures.
The Trojan has multiple parts, first leading with a binder component that is responsible for saving a second payload and a decoy document to the system. We found three different versions of the Komplex binder, one that was created to run on x86, another on x64, and a third that contained binders for both x86 and x64 architectures.
During the researchers’ analysis, it became known that Komplex was used in an earlier attack that targeted victims running OS X. The attack exploited a vulnerability in the MacKeeper application and delivered Komplex as a payload. Not surprisingly, the Trojan has a lot in common with another tool deployed by APT29 – Carberp which was deployed against Windows users.
In addition to shared code and functionality, the researchers also discovered Komplex command and control (C2) domains that overlapped with previously identified phishing campaign infrastructures associated with the same cybercriminal group.
Here is the full list of shared functionality with the Windows Carberp malware:
- Same URL generation logic using random path values, a random file extension and encrypted token;
- Same file extensions used in C2 URL that are listed within the binaries in the same order;
- Same algorithm used to encrypt and decrypt the token in the URL and HTTP POST data (Carberp key is modified using value 0xAA7D756 whereas Komplex uses 0xE150722);
- Very similar command handling, including parsing specifically for Execute, Delete, [file], [/file], FileName, and PathToSave;
- Checks for Internet connectivity by connecting to google.com;
- Uses an 11-byte XOR key to decrypt strings within the configuration.
Researchers have discovered several modules that enable the cybercriminals to download files on the targeted systems, steal data, or execute commands. Shortly put, Komplex is a Mac port of the Carberp Trojan for Windows which was deployed against a government official in the US.