The Sofacy hacking group (also known as APT28, Sednit, and Fancy Bear) has developed a new trojan called ‘Komplex’ to help it target OS X users.
A Komplex infection begins with a binder component that saves a decoy document to the target system.
As Palo Alto Networks explains in a blog post, it encountered a sample of the malware where the PDF document spelled out the history of the Russian Federal Space Program’s projects between 2016 and 2025.
This might mean that Komplex is being used to target OS X users specifically in the aerospace industry.
At the same time, the binder component saves another executable. That’s the Komplex dropper, which is responsible for making sure a third executable achieves persistence so that it can execute every time OS X boots up.
All that remains then is the Komplex payload, which forestalls revealing its main functionality until it conducts two checks: one to see if it’s being debugged, and one to see if it can successfully connect to Google.com via the web.
As long as those tests Komplex can access the internet safely, the payload executes its main functionality.
Dani Creus, Tyler Halfpop and Robert Falcone of Palo Alto Networks explain what happens next:
“The Komplex payload uses an 11-byte XOR algorithm to decrypt strings used for configuration and within C2 communications, including the C2 domains themselves. Figure 8 shows a screenshot of Komplex’s custom string decryption algorithm, along with the XOR key used to decrypt strings within the payload.”
From there, the malware collects information about the infected machine, including username and system version, and sends it to its command-and-control server.
That server responds back with a series of commands that enables Komplex to download additional files as well as execute or delete existing files.
As you might have guessed, this is not Sofacy’s first foray into computer crime and espionage.
The threat group after all goes by many names. One of those is “Fancy Bear,” which is believed to be the group that – despite Donald Trump’s whining – most likely hacked the Democratic National Committee in late-spring 2016.
The group also goes by the name Strontium, of which Microsoft warned back in November 2015.
It’s unclear whether Komplex is targeting the aerospace industry specifically.
Even if it is, all OS X users should protect themselves against this threat by avoiding suspicious links and email attachments and (yes!) installing a decent anti-virus solution onto their machines.