Komplex

Komplex is a form of malware believed to be used by the Sofacy group, a cyber espionage group. This backdoor Trojan targets macOS systems and shares similarities with XAgentOSX, another tool supposedly developed by the same actor. The authors of this malware have named it Komplex, which was discovered during our research on the Sofacy's Komplex Trojan. It appears that the same threat actor developed both the Komplex and XAgentOSX tools, as evidenced by the shared project paths within the tools. We suspect that Sofacy uses Komplex to download and install the XAgentOSX tool on compromised systems, thereby expanding its command set. Komplex provides Remote Access Trojan (RAT) functionality on the Mac OS X operating system, and the threat group maintains variants that operate on Apple iOS and Google Android mobile operating systems. The macOS variant of this tool uses a similar network communications method as its Windows counterpart, indicating the group's continued use of consolidated C2 services to control compromised hosts. The name "Komplex" originates from several folder paths included within the Mach-O file, such as "/Users/kazak/Desktop/Project/komplex". This file is the Komplex dropper used in the next stage of installation and to maintain persistence. Upon reverse engineering the Komplex payload, we identified several code overlaps worth exploring. A screenshot of Komplex's custom string decryption algorithm revealed an XOR key used to decrypt strings within the payload. The ultimate purpose of these components is to install and execute the Komplex payload. The 'start.sh' script loads 'com.apple.updates.plist', setting the properties of the Komplex payload executed from "/Users/Shared/.local/kextd" at system startup. The shell script saved to '/Users/Shared/start.sh' calls the system command 'launchctl' to add a plist entry into 'launchd', ensuring the automatic execution of the Komplex payload each time the system starts.