Register to stream ATT&CKcon 2.0 October 29-30

Komplex

Komplex is a backdoor that has been used by APT28 on OS X and appears to be developed in a similar manner to XAgentOSX [1] [2].

ID: S0162
Type: MALWARE
Platforms: macOS
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1024 Custom Cryptographic Protocol The Komplex C2 channel uses an 11-byte XOR algorithm to hide data. [2]
Enterprise T1107 File Deletion The Komplex trojan supports file deletion. [2]
Enterprise T1158 Hidden Files and Directories The Komplex payload is stored in a hidden directory at /Users/Shared/.local/kextd. [2]
Enterprise T1159 Launch Agent The Komplex trojan creates a persistent launch agent called with $HOME/Library/LaunchAgents/com.apple.updates.plist with launchctl load -w ~/Library/LaunchAgents/com.apple.updates.plist. [2]
Enterprise T1057 Process Discovery The OsInfo function in Komplex collects a running process list. [2]
Enterprise T1071 Standard Application Layer Protocol The Komplex C2 channel uses HTTP POST requests. [2]
Enterprise T1033 System Owner/User Discovery The OsInfo function in Komplex collects the current running username. [2]

Groups That Use This Software

ID Name References
G0007 APT28 [1] [2]

References