Komplex

Komplex is a backdoor that has been used by APT28 on OS X and appears to be developed in a similar manner to XAgentOSX [1] [2].

ID: S0162
Type: MALWARE
Platforms: macOS
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1024 Custom Cryptographic Protocol The Komplex C2 channel uses an 11-byte XOR algorithm to hide data.[2]
Enterprise T1107 File Deletion The Komplex trojan supports file deletion.[2]
Enterprise T1158 Hidden Files and Directories The Komplex payload is stored in a hidden directory at /Users/Shared/.local/kextd.[2]
Enterprise T1159 Launch Agent The Komplex trojan creates a persistent launch agent called with $HOME/Library/LaunchAgents/com.apple.updates.plist with launchctl load -w ~/Library/LaunchAgents/com.apple.updates.plist.[2]
Enterprise T1057 Process Discovery The OsInfo function in Komplex collects a running process list.[2]
Enterprise T1071 Standard Application Layer Protocol The Komplex C2 channel uses HTTP POST requests.[2]
Enterprise T1033 System Owner/User Discovery The OsInfo function in Komplex collects the current running username.[2]

Groups

Groups that use this software:

APT28

References