Komplex

Komplex is a backdoor that has been used by APT28 on OS X and appears to be developed in a similar manner to XAgentOSX [1] [2].

ID: S0162
Type: MALWARE
Platforms: macOS
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1024 Custom Cryptographic Protocol

The Komplex C2 channel uses an 11-byte XOR algorithm to hide data.[2]

Enterprise T1107 File Deletion

The Komplex trojan supports file deletion.[2]

Enterprise T1158 Hidden Files and Directories

The Komplex payload is stored in a hidden directory at /Users/Shared/.local/kextd.[2]

Enterprise T1159 Launch Agent

The Komplex trojan creates a persistent launch agent called with $HOME/Library/LaunchAgents/com.apple.updates.plist with launchctl load -w ~/Library/LaunchAgents/com.apple.updates.plist.[2]

Enterprise T1057 Process Discovery

The OsInfo function in Komplex collects a running process list.[2]

Enterprise T1071 Standard Application Layer Protocol

The Komplex C2 channel uses HTTP POST requests.[2]

Enterprise T1033 System Owner/User Discovery

The OsInfo function in Komplex collects the current running username.[2]

Groups That Use This Software

ID Name References
G0007 APT28 [1] [2]

References