Skip to content

S0162 Komplex

Komplex is a backdoor that has been used by APT28 on OS X and appears to be developed in a similar manner to XAgentOSX 1 2.

Item Value
ID S0162
Associated Names
Type MALWARE
Version 1.1
Created 14 December 2017
Last Modified 30 March 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols The Komplex C2 channel uses HTTP POST requests.2
enterprise T1543 Create or Modify System Process -
enterprise T1543.001 Launch Agent The Komplex trojan creates a persistent launch agent called with $HOME/Library/LaunchAgents/com.apple.updates.plist with launchctl load -w ~/Library/LaunchAgents/com.apple.updates.plist.2
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography The Komplex C2 channel uses an 11-byte XOR algorithm to hide data.2
enterprise T1564 Hide Artifacts -
enterprise T1564.001 Hidden Files and Directories The Komplex payload is stored in a hidden directory at /Users/Shared/.local/kextd.2
enterprise T1070 Indicator Removal on Host -
enterprise T1070.004 File Deletion The Komplex trojan supports file deletion.2
enterprise T1057 Process Discovery The OsInfo function in Komplex collects a running process list.2
enterprise T1033 System Owner/User Discovery The OsInfo function in Komplex collects the current running username.2

Groups That Use This Software

ID Name References
G0007 APT28 123

References

Back to top