Trojan.MacOS.Komplex.A
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Ranking: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
Threat Level: | 90 % (High) |
Infected Computers: | 13 |
First Seen: | February 3, 2021 |
Last Seen: | October 27, 2022 |
Trojan.MacOS.Komplex.A was discovered by researchers in 2016. It is a Trojan infection for macOS computers created by the Sofacy Group (also known as Fancy Bear, APT28, Sednit, and Pawn Storm). While analyzing the threat, malware researchers found out that the Trojan has been used in the past by exploiting a vulnerability in MacKeeper. Yet, it is believed that the latest versions of this threat infect target machines mainly through corrupted email attachments. Apparently, Komplex.A Trojan for Mac targets the aerospace industry, as it lands on victims’ computers through spam campaigns that trick recipients into opening a malicious attachment masked as a PDF-file with information on the Russian aerospace program.
Once opened, the attachment installs the Trojan’s files on the system and then establishes a connection with the remote Command and Control Server (C&C Server) controlled by the cyber-attackers. The attachment initially opens an actual PDF with the promised information in preview to disguise its true purpose. It looks like Komplex.A has a mechanism to avoid analysis and sandboxes - it sends a GET request to Google to confirm that an active Internet connection is available before carrying out its main functionalities. The malware creates several files during installation, initially in the/Users/Shared/ folder. Specifically, in /Users/Shared/.local/kextd and /Users/$USER/Library/LaunchAgents/com.apple.updates.plist. Then, the files are moved to their final location.
Although the analysis in 2016 did not identify any specific malicious tasks performed by Komplex.A, once fully installed, the attackers can instruct the Trojan to execute commands, like downloading and running additional malware threats. Komplex.A also has a long list of shared functionalities with another threat called Carberp, which attacks Windows systems, implying that the Sofacy Group may in the future develop new cross-platform threats.