There is an OS X Trojan seeing action in attacks aimed at the aerospace industry, researchers said.
The “Komplex” malware appears to have been developed by the attack group known as Sofacy, Pawn Storm, APT28, Sednit, Fancy Bear and Tsar Team said researchers at Palo Alto Networks.
The group ended up linked to other high-profile attacks, including ones aimed at the U.S. government and the country’s political parties, and the German parliament.
Komplex attacks start with a binder component that deploys a decoy document, which ends up displayed with the Preview application in OS X, and the Trojan’s dropper, researchers said in a blog post. The dropper component drops and executes the main payload and ensures its persistence by configuring the system to launch it when OS X starts.
Once it infects a device, the malware establishes contact with its command and control (C&C) server and collects system information, researchers said. The Trojan allows attackers to execute arbitrary commands and download additional files to the affected machine.
“While reverse engineering the Komplex payload, we came across a few code overlaps that we believed were worth exploring,” the researchers said. “First, we noticed striking similarities between the Komplex payload and the traits and behavior of an OS X Trojan discussed in a BAE Systems blog entitled ‘New Mac OS Malware Exploits MacKeeper.’ According to this blog post, an OS X Trojan was delivered via a vulnerability in the MacKeeper application. The nameless OS X Trojan uses an 11-byte XOR algorithm to decrypt an embedded configuration, which has all of the same variable names and values as the Komplex sample. The algorithm used to encrypt and decrypt the network traffic, as well as all static elements of the network communications (composition of URL, structure of HTTP data, command parsing procedure, etc.) discussed in the blog post are the exact same as seen in the Komplex payload. These overlaps suggest that the Trojan delivered by the MacKeeper vulnerability was in fact the Komplex Trojan.”
Researchers also found links between Komplex and a variant of the Carberp malware used by the Sofacy group in attacks targeting the U.S. government. While Carberp targets Windows systems, experts have identified several similarities, including in URL generation logic, file extensions, encryption and decryption methods, command handling, and Internet connectivity checks.
“Based on these observations, we believe that the author of Sofacy’s Carberp variant used the same code, or at least the same design, to create the Komplex Trojan,” Palo Alto Networks said. “A benefit of retaining many of the same functionalities within the Windows and OS X Trojans is that it would require fewer alterations to the C2 server application to handle cross-platform implants.”
“The Sofacy group created the Komplex Trojan to use in attack campaigns targeting the OS X operating system – a move that showcases their continued evolution toward multi-platform attacks, Palo Alto researchers said. “The tool is capable of downloading additional files to the system, executing and deleting files, as well as directly interacting with the system shell. While detailed targeting information is not currently available, we believe Komplex has been used in attacks on individuals related to the aerospace industry, as well as attacks leveraging an exploit in MacKeeper to deliver the Trojan.