1. Home
  2. Software
  3. Komplex

Komplex

Komplex is a backdoor that has been used by APT28 on OS X and appears to be developed in a similar manner to XAgentOSX [1] [2].

ID: S0162
Type: MALWARE
Platforms: macOS
Version: 1.1
Created: 14 December 2017
Last Modified: 30 March 2020
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1543 .001 创建或修改系统进程: Launch Agent

The Komplex trojan creates a persistent launch agent called with $HOME/Library/LaunchAgents/com.apple.updates.plist with launchctl load -w ~/Library/LaunchAgents/com.apple.updates.plist.[2]
Enterprise T1573 .001 加密通道: Symmetric Cryptography

The Komplex C2 channel uses an 11-byte XOR algorithm to hide data.[2]
Enterprise T1071 .001 应用层协议: Web Protocols

The Komplex C2 channel uses HTTP POST requests.[2]
Enterprise T1070 .004 移除指标: File Deletion

The Komplex trojan supports file deletion.[2]
Enterprise T1033 系统所有者/用户发现

The OsInfo function in Komplex collects the current running username.[2]
Enterprise T1057 进程发现

The OsInfo function in Komplex collects a running process list.[2]
Enterprise T1564 .001 隐藏伪装: Hidden Files and Directories

The Komplex payload is stored in a hidden directory at /Users/Shared/.local/kextd.[2]

Groups That Use This Software

ID Name References
G0007 APT28

[1][2][3]

References

  1. Robert Falcone. (2017, February 14). XAgentOSX: Sofacy's Xagent macOS Tool. Retrieved July 12, 2017.
  2. Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26). Sofacy's 'Komplex' OS X Trojan. Retrieved July 8, 2017.
  1. Secureworks CTU. (2017, March 30). IRON TWILIGHT Supports Active Measures. Retrieved February 28, 2022.