![\"Komplex](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2016\/09\/Komplex-Mac-Trojan.jpg\")
<\/p>\n<\/p>\n
A new OS X malware has been\u00a0discovered<\/a>\u00a0by security researchers from Palo Alto Networks. The malware, named “Komplex,” is a Mac Trojan created\u00a0by the Sofacy Group\u00a0and is apparently\u00a0targeting the aerospace industry.<\/p>\n During analysis, the researchers found that Komplex malware was used in the past by exploiting a MacKeeper vulnerability. However, this\u00a0new Komplex\u00a0Trojan is targeting Macs by way of\u00a0email attachments. Here’s what you need to know to stay safe!<\/p>\n What is the infection vector?<\/strong><\/p>\n Komplex ends up on a user’s system through spear phishing, a method used by cyber criminals to get a victim to open an email with a malicious attachment, and masks as a Russian aerospace program information PDF.<\/p>\n The person who receives the email\u00a0may\u00a0think they are opening a PDF file with future plans for the Russian aerospace program, but\u00a0in fact, it is a Trojan that will install files on the system and connect to a remote command & control (c&c) server. An actual PDF with said Russian aerospace details is opened in Preview, but this is just a decoy. This PDF is not downloaded but is part of the malicious attachment and is written in place.<\/p>\n Where does Komplex install?<\/strong><\/p>\n The Trojan\u00a0waits for an Internet connection and attempts to send a GET request to Google to confirm it’s not running in an\u00a0anti-analysis\/sandbox\u00a0environment. After confirming an active Internet connection, the Komplex payload begins carrying out its main functionality. Several files are placed on the system upon install and then moved to their final locations, which are:<\/p>\n \u2022 \/Users\/$USER\/Library\/LaunchAgents\/com.apple.updates.plist Files are initially placed in \/Users\/Shared\/, but are moved to their final destination:<\/p>\n Once all components are in place and Komplex is up and running,\u00a0it\u00a0can download, install and execute additional malware, as well as delete files.<\/p>\n While Komplex installs, the following pop-up may appear:<\/p>\n It’s important to note that regardless of which button is clicked, the malware will install. This warning is triggered by the binder (the executables responsible for installing the malware), which uses the SetFile command.<\/p>\n Should Mac users be concerned?<\/strong><\/p>\n While Komplex does not appear to be doing anything malicious after installing itself, this can change instantly\u00a0if the Sofacy Group decides to send commands for the C&C servers to relay. The risk here is currently for those working in the aerospace industry, but this technique can be used against OS X\u00a0and\u00a0macOS users anywhere.<\/p>\n As mentioned above, Komplex was used in the past by exploiting a MacKeeper vulnerability against Mac users. Another\u00a0tool that Komplex\u00a0shares a significant amount of functionality and traits with, called\u00a0Carberp, was also\u00a0used in past\u00a0attacks against Windows systems<\/a>.<\/p>\n The report mentions, “In addition to shared code and functionality, we also discovered Komplex command and control (C2) domains that overlapped with previously identified phishing campaign infrastructures associated with the Sofacy Group,” and “A benefit of retaining many of the same functionalities within the Windows and OS X Trojans is that it would require fewer alterations to the C2 server application to handle cross-platform implants,” which makes it easier for Sofacy Group to adapt and release future malware.<\/p>\n The Sofacy Group, also known as Fancy Bear, Pawn Storm, APT28 and Sednit has been active for years and has attacked government agencies in Eastern Europe and the West as well as several media organizations. They are believed to be behind the data breach at the National Committee of the Democratic Party and most recently the\u00a0hacking of the world anti-doping agency<\/a>. A group like this is not likely to go away any time soon, so more malware from them can be expected.<\/p>\n What steps can Mac users take to protect their computers?<\/strong><\/p>\n If infected, Mac users can manually remove the Komplex files to clean up the infection. From the Finder menu “Go,” select “Go to Folder” and copy\/paste each of the following paths (replace $USER with your own home folder name):<\/p>\n \u2022\u00a0\/Users\/$USER\/Library\/LaunchAgents\/com.apple.updates.plist If the files are found, your Mac is probably infected. Move the files to your trash and restart your Mac, then empty the trash and check the locations again. Your Mac should now be clear of Komplex.<\/p>\n
\n\u2022 \/Users\/Shared\/.local\/kextd<\/p>\n![\"Komplex](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2016\/09\/komplex-malware-install-paths.png\")
<\/p>\n![\"Komplex](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2016\/09\/Komplex-Install-Warning.png\")
<\/p>\n
\n\u2022\u00a0\/Users\/Shared\/.local\/kextd<\/p>\n