The prolific APT gang allegedly behind the DNC hack and other targeted attacks against Western military and political targets is using a new Trojan called Komplex to infect OS X machines used in the aerospace industry.
The gang, known as Sofacy, APT28, Fancy Bear, Sednit and Pawn Storm, is spreading the malware via phishing emails promising insight into the future of Russia’s space program, researchers at Palo Alto Networks said on Monday.
“Apple does a great job at defending OS X. The only thing being exploited here is the user. But it’s important to remember, people are still a target no matter what OS you use,” said Ryan Olson, intelligence director at Unit 42 of Palo Alto Networks.
Sofacy has been active for more than two years and has been linked to attacks against NATO and military and political targets in Europe. More recently Sofacy was fingered by security firm Crowdstrike as being behind attacks against the Democratic National Committee resulting in the theft of research done by the DNC on presumptive Republican nominee Donald Trump.
Emails contain one attachment that binds an encrypted payload of the executable malware, scripts and a PDF. Users who double-click Komplex malware attachment from within an email think they are only opening a PDF document. To lower suspicions among victims, the Komplex malware loads a 17-page PDF (roskosmos_2015-2025.pdf) on the Mac OS X machine targeted.
“Psychologically, if someone clicks on what they think is a PDF and it opens, they don’t think twice about it after that,” Olson said.
“The tool is capable of downloading additional files to the system, executing and deleting files, as well as directly interacting with the system shell,” wrote Dani Creus, Tyler Halfpop and Robert Falcone who co-authored the report
According to Unit 42’s technical breakdown of the Trojan: “The Komplex dropper component is saved to the system as ‘/tmp/content’ (SHA256:96a19a90caa41406b632a2046f3a39b5579fbf730aca2357f84bf23f2cbc1fd3) and is responsible for installing a third executable to the system and setting up persistence for the third executable to launch each time the OS X operating system starts.”
Komplex employs a number of anti-analysis and sandbox checks including a GET request to Google that determines Internet connectivity. “The payload will sleep until it receives a response from the HTTP requests to Google, which means Komplex will only communicate to its C2 servers in Internet enabled environments,” researchers wrote.
The PDF is written in Russian and purports to contain future insights into the Russian Federal Space Program’s projects dating from 2016 to 2025. Olson said it does not know what nation state may be behind the Sofacy malware, he said.
The Trojan, which was spotted early August, shares many of the same attributes as the Carberp Trojan; a Windows-based malware also known to be used by Sofacy. Carberp and Komplex overlap in technique, in terms of how its binding encryption works and also how its command and control systems work, Olson said.
“During our analysis, we determined that Komplex was used in a previous attack campaign targeting individuals running OS X that exploited a vulnerability in the MacKeeper antivirus application to deliver Komplex as a payload,” wrote researchers.
The development of the Komplex Trojan, according Unit 42, is “a move that showcases (Sofacy’s) continued evolution toward multi-platform attacks.”