Komplex

Malware Profile Updated 24 days ago
Download STIX
Preview STIX
Komplex is a form of malware believed to be used by the Sofacy group, a cyber espionage group. This backdoor Trojan targets macOS systems and shares similarities with XAgentOSX, another tool supposedly developed by the same actor. The authors of this malware have named it Komplex, which was discovered during our research on the Sofacy's Komplex Trojan. It appears that the same threat actor developed both the Komplex and XAgentOSX tools, as evidenced by the shared project paths within the tools. We suspect that Sofacy uses Komplex to download and install the XAgentOSX tool on compromised systems, thereby expanding its command set. Komplex provides Remote Access Trojan (RAT) functionality on the Mac OS X operating system, and the threat group maintains variants that operate on Apple iOS and Google Android mobile operating systems. The macOS variant of this tool uses a similar network communications method as its Windows counterpart, indicating the group's continued use of consolidated C2 services to control compromised hosts. The name "Komplex" originates from several folder paths included within the Mach-O file, such as "/Users/kazak/Desktop/Project/komplex". This file is the Komplex dropper used in the next stage of installation and to maintain persistence. Upon reverse engineering the Komplex payload, we identified several code overlaps worth exploring. A screenshot of Komplex's custom string decryption algorithm revealed an XOR key used to decrypt strings within the payload. The ultimate purpose of these components is to install and execute the Komplex payload. The 'start.sh' script loads 'com.apple.updates.plist', setting the properties of the Komplex payload executed from "/Users/Shared/.local/kextd" at system startup. The shell script saved to '/Users/Shared/start.sh' calls the system command 'launchctl' to add a plist entry into 'launchd', ensuring the automatic execution of the Komplex payload each time the system starts.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Komplex Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
Sofacy’s ‘Komplex’ OS X Trojan
MITRE
a year ago
XAgentOSX: Sofacy’s XAgent macOS Tool
CERT-EU
a year ago
Ukraine-News am Donnerstag: FSB sucht Ukrainer nach Mord an russischem Blogger
MITRE
a year ago
IRON TWILIGHT Supports Active Measures
CERT-EU
a year ago
DoppelPaymer: Razzien gegen Ransomware-Gang in Nordrhein-Westfalen und Ukraine
CERT-EU
a year ago
Windows 11: Angreifer umgehen mit UEFI-Bootkit BlackLotus Secure Boot
CERT-EU
a year ago
DoppelPaymer: Razzien gegen Ransomware-Gang in Nordrhein-Westfalen und Ukraine
CERT-EU
a year ago
Skyddsombud slår larm om arbetsmiljön på Klarna
CERT-EU
a year ago
Svenska AI-genierna: ”Kostnaden på intelligens går mot noll”
CERT-EU
a year ago
Die Turonen: Thüringens braune Mafia und ihre Waffen
CERT-EU
a year ago
Skivbolagsjättens nya krav på Spotify: Stoppa AI
CERT-EU
a year ago
Die Krise im Identitätsmanagement bewältigen – aber wie? 
CERT-EU
a year ago
Das Darknet - Einblick in die verborgene Welt des Internets | ZDNet.de
CERT-EU
a year ago
5G? Aber bitte in sicher! | ZDNet.de
CERT-EU
a year ago
Bremst der AI Act die KI-Entwicklung in Europa?