The Komplex Trojan Infects OS X Systems With Decoy Docs

Palo Alto Networks researchers have detected an OS X Trojan, which, according to them, has been previously used by an infamous Russian cyber spying gang in attacks against the aerospace industry.

Dubbed Komplex, the Trojan appears to have been developed by a malware creator going by the names Sofacy, Pawn Storm, APT28, Sednit, Fancy Bear and Tsar Team. The criminal crew behind Komplex has been associated with several huge attacks, including ones against the German parliament, the World Anti-Doping Agency (WADA) and the U.S. government and the country’s political parties.

Palo Alto Networks says that Komplex attacks start with a binder component that deploys a decoy document, which is displayed with the Preview application in OS X, and the Trojan’s dropper. The dropper delivers and executed the main payload and configures the system to run it when the OS X starts.

When the machine is infected, the Trojan contacts its C&C server and gathers system information. Using Komplex, attackers are able to execute arbitrary commands and download additional files to the targeted device.

Experts at Palo Alto Networks revealed that there is chance Komplex is the same unnamed Mac Trojan, which was mentioned in a blog post by BAE Systems in June last year. Back then, it was being spread via a flaw in the MacKeeper security and optimization software.

Also, the analysts were able to find some similarities between the Komplex Trojan and a Carberp malware variant, used by the Sofacy group in attacks against the U.S. government. Even though Carberp is created to target Windows, the experts found that Komplex uses similar URL generation logic, file extensions, encryption and decryption methods, Internet connectivity checks and command handling. Experts also uncovered C&C infrastructure overlaps as some of the domains used by Komplex are known to be associated with Sofacy activity.

Based on these observations, we believe that the author of Sofacy’s Carberp variant used the same code, or at least the same design, to create the Komplex Trojan.” – Palo Alto Networks explained in a blog post – “A benefit of retaining many of the same functionalities within the Windows and OS X Trojans is that it would require fewer alterations to the C2 server application to handle cross-platform implants.”

Researchers are not completely sure which organizations have been infected by Komplex exactly, but, according to them, one of the targets was likely associated with the aerospace industry.

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.