APT Gang Sofacy is Targeting OS X Machines with “Komplex” Trojan

Source: https://threatpost.com/sofacy-apt-targeting-os-x-machines-with-komplex-trojan/120882/, http://www.securityweek.com/russian-cyberspies-use-komplex-trojan-target-os-x-systems(Threatpost, SecurityWeek)

The notorious APT gang Sofacy that is also known as APT28, Fancy Bear, Sednit and Pawn Storm have been using a new Trojan called Komplex to infect OS X machines. Sofacy has been active for more than two years and has been linked to attacks against the United States government, the German parliament, and the World Anti-Doping Agency(WADA).  

According to researchers at Palo Alto Networks Komplex attacks start with a binder component that deploys a decoy document. Emails contain one attachment that binds an encrypted payload of the executable, scripts, and a pdf. When a user double-clicks on the attachment from the email they think they’re opening a pdf document.  To avoid suspicion the malware loads a 17-page PDF called (roskosmos_2015-2025.pdf),  a researcher at Palo Alto said that “Psychologically, if someone clicks on what they think is a PDF and it opens, they don’t think twice about it after that,”. The tool is capable of downloading additional files to the system, executing and deleting files, as well as directly interacting with the system shell. Komplex trojan has a number of anti-analysis and sandbox checks, one of them is a GET request to Google that determines if the machine has Internet connectivity.

The PDF in the malware is written in Russian and portrays future insights into the Russian Federal Space Program’s projects from 2016 to 2025. Sofacy has also been believed to be a Russia-linked cyber espionage group, based on previous attacks. Although researchers and experts aren’t able to pinpoint which organizations are being targeted with this OS X trojan, they believe one of the likely targets is the aerospace industry.