Komplex is a backdoor that has been used by APT28 on OS X and appears to be developed in a similar manner to XAgentOSX [1] [2].

ID: S0162
Platforms: macOS
Version: 1.1
Created: 14 December 2017
Last Modified: 30 March 2020

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

The Komplex C2 channel uses HTTP POST requests.[2]

Enterprise T1543 .001 Create or Modify System Process: Launch Agent

The Komplex trojan creates a persistent launch agent called with $HOME/Library/LaunchAgents/com.apple.updates.plist with launchctl load -w ~/Library/LaunchAgents/com.apple.updates.plist.[2]

Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

The Komplex C2 channel uses an 11-byte XOR algorithm to hide data.[2]

Enterprise T1564 .001 Hide Artifacts: Hidden Files and Directories

The Komplex payload is stored in a hidden directory at /Users/Shared/.local/kextd.[2]

Enterprise T1070 .004 Indicator Removal: File Deletion

The Komplex trojan supports file deletion.[2]

Enterprise T1057 Process Discovery

The OsInfo function in Komplex collects a running process list.[2]

Enterprise T1033 System Owner/User Discovery

The OsInfo function in Komplex collects the current running username.[2]

Groups That Use This Software

ID Name References
G0007 APT28