Komplex is a trojan that targets systems running Mac OSX, specifically those used in the aerospace industry. It is distributed via malicious email attachments disguised as a PDF file and exploits a vulnerability in the MacKeeper antivirus application to deliver the payload. To avoid suspicion, an actual PDF file opens when victim clicks on the attachment, while the malware executable infects the system in the background. Komplex can download additional files, execute and delete other files, and can interact directly with the system shell. It also has anti-detection and anti-analysis features that check for the presence of sandboxes and malware analysis software. It sends a GET request to Google in order to determine internet connectivity and it remains dormant until it receives a response. Komplex has been attributed to the prolific APT group, Sofacy, which is also allegedly responsible for the Democratic National Committee email leak.

Reporting and Technical Details

  • September 2016: Palo Alto Networks research team, Unit 42, identified the Komplex trojan and its association with the Sofacy APT group. (Palo Alto Networks)
  • February 2017: Komplex is being used by APT28 to infect Mac systems with the XAgentOSX trojan. (Palo Alto Networks)

MacOS MalwareNJCCICKomplex