A new Mac OS X Trojan known as Komplex has been discovered, and experts claim that it may be used by a cyber espionage group.
Komplex Is Actively Used by Hackers
Security researchers have spotted a new Trojan for the Mac OS X operating system known as Komplex. They claim that it is a development of a cyber espionage community that is operating in Russia named Sofacy.
The discovery was announced by Palo Alto Networks, and they believe that there are three versions of the malware. Based on their research the samples have been targeted to individuals in the aerospace industry. The versions are made to act against x86, x64 and both architectures in its three builds.
The infections occur when Komplex uses its first stage component by targeting a known vulnerability in the MacKeeper anti-virus solution for Mac OS X. The component is masked as a PDF document that gives information about the Russian Federation’s Space Program.
The malware then adds its .plist file to the computer’s boot process and downloads the payload dropper. Next, it gathers information about the victim system, and when an Internet connection is available, it triggers communication with the remote malicious C&C server.
Depending on the commands send from the server the attackers can choose what damage they can incur to the victim machines. There are several modules that have been identified – they allow Sofacy to download files to the machines, gather information, or execute arbitrary commands.
Based on the behavior of the Trojan the security experts believe that Komplex is a port of the Carbelp Windows Trojan that has been used by US government employees in May this year.
The Sofacy hacker collective is also known as Fancy Bear, APT28, Sednit, Strontium and Pawn Storm. It is one of the most active espionage groups. Security experts believe that they are the perpetrators of several large-scale hacks and data leaks.