Aerospace industry warned of targeted attacks from the Komplex OS X trojan

OS X trojan horse spies upon unsuspecting Mac users.

David bisson
David Bisson


The Sofacy hacking group (also known as APT28, Sednit, and Fancy Bear) has developed a new trojan called ‘Komplex’ to help it target OS X users.

A Komplex infection begins with a binder component that saves a decoy document to the target system.

As Palo Alto Networks explains in a blog post, it encountered a sample of the malware where the PDF document spelled out the history of the Russian Federal Space Program’s projects between 2016 and 2025.

Sign up to our free newsletter.
Security news, advice, and tips.

This might mean that Komplex is being used to target OS X users specifically in the aerospace industry.

Decoy document opened by Komplex binder showing document regarding the Russian Space Program
Decoy document opened by Komplex binder showing document regarding the Russian Space Program (Source: Palo Alto Networks)

At the same time, the binder component saves another executable. That’s the Komplex dropper, which is responsible for making sure a third executable achieves persistence so that it can execute every time OS X boots up.

All that remains then is the Komplex payload, which forestalls revealing its main functionality until it conducts two checks: one to see if it’s being debugged, and one to see if it can successfully connect to via the web.

Screen shot 2016 09 27 at 10.32.19 am
The Komplex trojan’s debugging check (Source: Palo Alto Networks)

As long as those tests Komplex can access the internet safely, the payload executes its main functionality.

Dani Creus, Tyler Halfpop and Robert Falcone of Palo Alto Networks explain what happens next:

“The Komplex payload uses an 11-byte XOR algorithm to decrypt strings used for configuration and within C2 communications, including the C2 domains themselves. Figure 8 shows a screenshot of Komplex’s custom string decryption algorithm, along with the XOR key used to decrypt strings within the payload.”

From there, the malware collects information about the infected machine, including username and system version, and sends it to its command-and-control server.

Sofacy 3 500x406
Beacon sent from Komplex to C2 containing system information within the HTTP POST data (Source: Palo Alto Networks)

That server responds back with a series of commands that enables Komplex to download additional files as well as execute or delete existing files.

As you might have guessed, this is not Sofacy’s first foray into computer crime and espionage.

The threat group after all goes by many names. One of those is “Fancy Bear,” which is believed to be the group that – despite Donald Trump’s whining – most likely hacked the Democratic National Committee in late-spring 2016.

The group also goes by the name Strontium, of which Microsoft warned back in November 2015.

It’s unclear whether Komplex is targeting the aerospace industry specifically.

Even if it is, all OS X users should protect themselves against this threat by avoiding suspicious links and email attachments and (yes!) installing a decent anti-virus solution onto their machines.

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

One comment on “Aerospace industry warned of targeted attacks from the Komplex OS X trojan”

  1. ramon

    you guys are just trying to create a market for antivirus software on mac os.
    you know it connects to some server…take it down..dont sell me crap antivirus.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.