APT28 is a Russian hacking group who was previously blamed for hacking WADA and DNC servers.
The group of hackers that conducted the infamous DNC hacking, World Anti-Doping Agency (WADA) and other such feats targeting sensitive western military and governmental entities, are at it again. This time, they are using Komplex, a relatively new Trojan that infects OS X devices.
There are numerous identities with which this particular group is associated with such as APT28, Sofacy, Pawn Storms, Fancy Bear and Sednit, etc. This group has remained active for over 2 years and has already successfully conducted various high-profile hacks including that of the DNC (Democratic National Committee) which resulted in compromising data about researches done on Republican nominee Donald Trump.
However, when it comes to Komplex malware, it is being distributed through phish emails, which lure unsuspecting users with the promise of giving them exclusive insights into Russia’s space program and its upcoming projects. Who wouldn’t be interested in knowing about that?
Palo Alto Networks researchers were the first ones to discover this new Trojan. According to the intelligence director Unit 42 of Palo Alto Networks, Ryan Olson, “Apple does a great job at defending OS X. The only thing being exploited here is the user. But it’s important to remember, people are still a target no matter what OS you use.”
The emails sent to the victims contain file attachment, which has an encrypted payload of the executable malware file, a PDF and scripts. When this attachment is clicked upon, it unleashes Komplex malware, while the victims believe that they are opening a simple PDF file. The malware does open a 17 page PDF file named roskosmos_2015-2025.pdf on the OS X machine to make it look authentic.
Olson states: “Psychologically if someone clicks on what they think is a PDF and it opens, they don’t think twice about it after that.”
Other authors at Unit 42 namely Dani Creus, Robert Falcone and Tyler Halfpop wrote that:
“The tool is capable of downloading additional files to the system, executing and deleting files, as well as directly interacting with the system shell. The Komplex dropper component is saved to the system as ‘/tmp/content’.”
The malware installs another executable file on the machine and this file is launched whenever the OS X system starts. There are numerous anti-analysis and sandbox checks involved in the functioning of Komplex, including a GET request which it sends to Google to check the Internet connection. Until a response is received from the HTTP requests sent to Google, the payload sleeps, which suggests that the malware can only communicate with its command and control servers through an internet connection.
It is also reported that the PDF files are in Russian language and claims to contain future projects related information of the Russian Space program between 2016 and 2025 but still it cannot be confirmed which nation state is sponsoring this new campaign.
Olson identified another aspect associated with Komplex malware:
“During our analysis, we determined that Komplex was used in a previous attack campaign targeting individuals running OS X that exploited a vulnerability in the MacKeeper antivirus application to deliver Komplex as a payload.”
What we can conclude is that Komplex’s complexity has proved that Sofacy has greatly improved its ability to perform multi-platform attacks over time.