14 DAY TRIAL // Security researchers have discovered Komplex, a new Mac OS X trojan which they say is tied to the activities of a cyber-espionage group named Sofacy, operating out of Russia.
Researchers claim they've only spotted the malware payloads until now and haven't tied it to any infected victims. Nevertheless, they say that, based on the document lures used during their operation, the trojan samples seem to have been customized to target individuals in the aerospace industry.
Palo Alto Networks, the company that detected the trojan, says there are three versions of this trojan known to date. There's a version that can target x64 architectures, one for x86 architectures, and another for both.
Komplex uses MacKeeper vulnerability to compromise targets
Security experts say the infection occurs when the trojan's first-stage component leverages a vulnerability in the MacKeeper Mac antivirus application to get a foothold on a Mac computer.
From the samples they analyzed, researchers rekon this first-stage component is disguised as a PDF document presenting details about Russia's Federal Space Program.
The first-stage component gets boot persistence by adding its own .plist file to the computer's startup routine and then downloads the so-called Komplex payload dropper.
This second-stage component gathers data about the system, and only when an Internet connection is active, does it start communicating with the C&C server, sending details about the infected host.
Komplex has basic, but intrusive features
At this point, the C&C server will decide what other Komplex modules to send over. Researchers say they've identified modules that allow Sofacy operators to download files on the infected hosts, gather and steal data, or execute commands.
Palo Alto states that Komplex is the same trojan discovered in June 2015 by BAE Systems. Furthermore, based on the trojan's mode of operation and source code structure, they are positive Komplex is a Mac port of the Carberp Windows trojan deployed in late May against a US government official.
The Sofacy group, also known as Fancy Bear, APT28, Sednit, Pawn Storm, or Strontium, is one of the most active cyber-espionage groups known today. APT28 is believed to be one of the groups that hacked the DNC in the summer of 2015 and that was behind the recent WADA data leaks.
