Komplex

Komplex is a backdoor that has been used by APT28 on OS X and appears to be developed in a similar manner to XAgentOSX [1] [2].

ID: S0162
Aliases: Komplex
Type: MALWARE
Platforms: macOS

Version: 1.0

Techniques Used

DomainIDNameUse
EnterpriseT1024Custom Cryptographic ProtocolThe Komplex C2 channel uses an 11-byte XOR algorithm to hide data.[2]
EnterpriseT1107File DeletionThe Komplex trojan supports file deletion.[2]
EnterpriseT1158Hidden Files and DirectoriesThe Komplex payload is stored in a hidden directory at /Users/Shared/.local/kextd.[2]
EnterpriseT1159Launch AgentThe Komplex trojan creates a persistent launch agent called with $HOME/Library/LaunchAgents/com.apple.updates.plist with launchctl load -w ~/Library/LaunchAgents/com.apple.updates.plist.[2]
EnterpriseT1057Process DiscoveryThe OsInfo function in Komplex collects a running process list.[2]
EnterpriseT1071Standard Application Layer ProtocolThe Komplex C2 channel uses HTTP POST requests.[2]
EnterpriseT1033System Owner/User DiscoveryThe OsInfo function in Komplex collects the current running username.[2]

Groups

Groups that use this software:

APT28

References