Aerospace industry warned of targeted attacks from the Komplex OS X trojan

OS X trojan horse spies upon unsuspecting Mac users.

Komplex

The Sofacy hacking group (also known as APT28, Sednit, and Fancy Bear) has developed a new trojan called 'Komplex' to help it target OS X users.

A Komplex infection begins with a binder component that saves a decoy document to the target system.

As Palo Alto Networks explains in a blog post, it encountered a sample of the malware where the PDF document spelled out the history of the Russian Federal Space Program's projects between 2016 and 2025.

This might mean that Komplex is being used to target OS X users specifically in the aerospace industry.

Decoy document opened by Komplex binder showing document regarding the Russian Space Program

Decoy document opened by Komplex binder showing document regarding the Russian Space Program (Source: Palo Alto Networks)

At the same time, the binder component saves another executable. That's the Komplex dropper, which is responsible for making sure a third executable achieves persistence so that it can execute every time OS X boots up.

All that remains then is the Komplex payload, which forestalls revealing its main functionality until it conducts two checks: one to see if it's being debugged, and one to see if it can successfully connect to Google.com via the web.

Screen shot 2016 09 27 at 10.32.19 am

The Komplex trojan's debugging check (Source: Palo Alto Networks)

As long as those tests Komplex can access the internet safely, the payload executes its main functionality.

Dani Creus, Tyler Halfpop and Robert Falcone of Palo Alto Networks explain what happens next:

"The Komplex payload uses an 11-byte XOR algorithm to decrypt strings used for configuration and within C2 communications, including the C2 domains themselves. Figure 8 shows a screenshot of Komplex’s custom string decryption algorithm, along with the XOR key used to decrypt strings within the payload."

From there, the malware collects information about the infected machine, including username and system version, and sends it to its command-and-control server.

Sofacy 3 500x406

Beacon sent from Komplex to C2 containing system information within the HTTP POST data (Source: Palo Alto Networks)

That server responds back with a series of commands that enables Komplex to download additional files as well as execute or delete existing files.

As you might have guessed, this is not Sofacy's first foray into computer crime and espionage.

The threat group after all goes by many names. One of those is "Fancy Bear," which is believed to be the group that - despite Donald Trump's whining - most likely hacked the Democratic National Committee in late-spring 2016.

The group also goes by the name Strontium, of which Microsoft warned back in November 2015.

It's unclear whether Komplex is targeting the aerospace industry specifically.

Even if it is, all OS X users should protect themselves against this threat by avoiding suspicious links and email attachments and (yes!) installing a decent anti-virus solution onto their machines.

Tags: , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , ,

One Response

  1. ramon

    September 28, 2016 at 12:11 pm #

    you guys are just trying to create a market for antivirus software on mac os.
    you know it connects to some server…take it down..dont sell me crap antivirus.

Leave a Reply