Komplex

Malware Profile Updated 3 months ago
Download STIX
Preview STIX
Komplex is a form of malware believed to be used by the Sofacy group, a cyber espionage group. This backdoor Trojan targets macOS systems and shares similarities with XAgentOSX, another tool supposedly developed by the same actor. The authors of this malware have named it Komplex, which was discovered during our research on the Sofacy's Komplex Trojan. It appears that the same threat actor developed both the Komplex and XAgentOSX tools, as evidenced by the shared project paths within the tools. We suspect that Sofacy uses Komplex to download and install the XAgentOSX tool on compromised systems, thereby expanding its command set. Komplex provides Remote Access Trojan (RAT) functionality on the Mac OS X operating system, and the threat group maintains variants that operate on Apple iOS and Google Android mobile operating systems. The macOS variant of this tool uses a similar network communications method as its Windows counterpart, indicating the group's continued use of consolidated C2 services to control compromised hosts. The name "Komplex" originates from several folder paths included within the Mach-O file, such as "/Users/kazak/Desktop/Project/komplex". This file is the Komplex dropper used in the next stage of installation and to maintain persistence. Upon reverse engineering the Komplex payload, we identified several code overlaps worth exploring. A screenshot of Komplex's custom string decryption algorithm revealed an XOR key used to decrypt strings within the payload. The ultimate purpose of these components is to install and execute the Komplex payload. The 'start.sh' script loads 'com.apple.updates.plist', setting the properties of the Komplex payload executed from "/Users/Shared/.local/kextd" at system startup. The shell script saved to '/Users/Shared/start.sh' calls the system command 'launchctl' to add a plist entry into 'launchd', ensuring the automatic execution of the Komplex payload each time the system starts.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
XAgentOSX
1
XAgentOSX, also known as Sofacy's XAgent macOS Tool, is a malicious software (malware) developed by the same actor who created the Komplex tool, according to research conducted by PaloAlto Networks. This malware operates by exploiting and damaging computer systems, often infiltrating them through su
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Dropper
Trojan
exploited
Vulnerability
Phishing
Payload
Windows
Malware
Exploit
Apple’s
Ios
Android
Rat
Antivirus
Decoy
Beacon
Encrypt
exploitation
Exploits
Macos
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CarberpUnspecified
1
Carberp is a notable malware that has been widely used and modified by various threat actors. Its source code, which was leaked in 2013, has become the basis for a multitude of other malicious software due to its sophisticated design and capabilities. The malware can infiltrate systems through dubio
XagentUnspecified
1
XAgent is a sophisticated malware developed by the Sofacy group, also known as APT28 or Fancy Bear. This malicious software was added to the group's arsenal in 2013, alongside other backdoors and tools such as CORESHELL, SPLM (also known as Xagent or CHOPSTICK), JHUHUGIT, AZZY, and others. XAgent is
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
SofacyUnspecified
1
Sofacy is a threat actor group that has been observed using multiple languages to create variants of the Zebrocy Trojan and Cannon. In one campaign, they relied heavily on filenames to lure victims into launching weaponized documents. The group packed only Delphi variants in an attempt to increase e
APT28Unspecified
1
APT28, also known as Fancy Bear, is a threat actor linked to Russia and has been involved in numerous cyber espionage campaigns. The group is notorious for its sophisticated tactics, techniques, and procedures (TTPs). Recently, NATO and the EU formally condemned APT28's activities, acknowledging the
Sofacy GroupUnspecified
1
The Sofacy Group, also known as APT28, Fancy Bear, Pawn Storm, Sednit, BlueDelta, and STRONTIUM, is a significant threat actor in the global cybersecurity landscape. Active since at least 2007, this group has targeted governments, militaries, and security organizations worldwide. The group's activit
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Komplex Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
a year ago
Bremst der AI Act die KI-Entwicklung in Europa?
CERT-EU
a year ago
5G? Aber bitte in sicher! | ZDNet.de
MITRE
a year ago
IRON TWILIGHT Supports Active Measures
MITRE
a year ago
XAgentOSX: Sofacy’s XAgent macOS Tool
MITRE
a year ago
Sofacy’s ‘Komplex’ OS X Trojan
CERT-EU
a year ago
Windows 11: Angreifer umgehen mit UEFI-Bootkit BlackLotus Secure Boot
CERT-EU
a year ago
DoppelPaymer: Razzien gegen Ransomware-Gang in Nordrhein-Westfalen und Ukraine
CERT-EU
a year ago
DoppelPaymer: Razzien gegen Ransomware-Gang in Nordrhein-Westfalen und Ukraine
CERT-EU
a year ago
Die Krise im Identitätsmanagement bewältigen – aber wie? 
CERT-EU
a year ago
Skyddsombud slår larm om arbetsmiljön på Klarna
CERT-EU
a year ago
Skivbolagsjättens nya krav på Spotify: Stoppa AI
CERT-EU
a year ago
Ukraine-News am Donnerstag: FSB sucht Ukrainer nach Mord an russischem Blogger
CERT-EU
a year ago
Svenska AI-genierna: ”Kostnaden på intelligens går mot noll”
CERT-EU
a year ago
Die Turonen: Thüringens braune Mafia und ihre Waffen
CERT-EU
a year ago
Das Darknet - Einblick in die verborgene Welt des Internets | ZDNet.de