Komplex is, volgens veiligheid onderzoekers van Palo Alto Networks, een nieuw Trojaans paard voor Mac OS X, die wordt verondersteld te worden gekoppeld aan de activiteiten van Sofacy (ook bekend als APT28, Pawn Storm, Fancy Bear, en Sednit), a Russian cyber espionage group. Even though no victims have been reported yet, the research team has spotted the malware payload. Bovendien, researchers have uncovered that the Trojan has been customized to target people in the aerospace industry.
Komplex Trojan Technical Overview
Three versions of the Trojan are known as far:
- A Komplex version for x64 architecture;
- A Komplex version for x86 architecture;
- And a third version for both architectures.
The Trojan has multiple parts, first leading with a binder component that is responsible for saving a second payload and a decoy document to the system. We found three different versions of the Komplex binder, one that was created to run on x86, another on x64, and a third that contained binders for both x86 and x64 architectures.
During the researchers’ analysis, it became known that Komplex was used in an earlier attack that targeted victims running OS X. The attack exploited a vulnerability in the MacKeeper application and delivered Komplex as a payload. Niet verrassend, the Trojan has a lot in common with another tool deployed by APT29 – Carberp which was deployed against Windows users.
In addition to shared code and functionality, de onderzoekers also discovered Komplex command and control (C2) domains that overlapped with previously identified phishing campaign infrastructures associated with the same cybercriminal group.
Here is the full list of shared functionality with the Windows Carberp malware:
- Same URL generation logic using random path values, a random file extension and encrypted token;
- Same file extensions used in C2 URL that are listed within the binaries in the same order;
- Same algorithm used to encrypt and decrypt the token in the URL and HTTP POST data (Carberp key is modified using value 0xAA7D756 whereas Komplex uses 0xE150722);
- Very similar command handling, including parsing specifically for Execute, Verwijder, [bestand], [/bestand], Bestandsnaam, and PathToSave;
- Checks for Internet connectivity by connecting to google.com;
- Uses an 11-byte XOR key to decrypt strings within the configuration.
Researchers have discovered several modules that enable the cybercriminals to download files on the targeted systems, gegevens te stelen, or execute commands. binnenkort zetten, Komplex is a Mac port of the Carberp Trojan for Windows which was deployed against a government official in the US.