S0162 Komplex
Komplex is a backdoor that has been used by APT28 on OS X and appears to be developed in a similar manner to XAgentOSX 1 2.
| Item | Value |
|---|---|
| ID | S0162 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 14 December 2017 |
| Last Modified | 30 March 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | The Komplex C2 channel uses HTTP POST requests.2 |
| enterprise | T1543 | Create or Modify System Process | - |
| enterprise | T1543.001 | Launch Agent | The Komplex trojan creates a persistent launch agent called with $HOME/Library/LaunchAgents/com.apple.updates.plist with launchctl load -w ~/Library/LaunchAgents/com.apple.updates.plist.2 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.001 | Symmetric Cryptography | The Komplex C2 channel uses an 11-byte XOR algorithm to hide data.2 |
| enterprise | T1564 | Hide Artifacts | - |
| enterprise | T1564.001 | Hidden Files and Directories | The Komplex payload is stored in a hidden directory at /Users/Shared/.local/kextd.2 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | The Komplex trojan supports file deletion.2 |
| enterprise | T1057 | Process Discovery | The OsInfo function in Komplex collects a running process list.2 |
| enterprise | T1033 | System Owner/User Discovery | The OsInfo function in Komplex collects the current running username.2 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0007 | APT28 | 123 |
References
-
Robert Falcone. (2017, February 14). XAgentOSX: Sofacy’s Xagent macOS Tool. Retrieved July 12, 2017. ↩↩
-
Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26). Sofacy’s ‘Komplex’ OS X Trojan. Retrieved July 8, 2017. ↩↩↩↩↩↩↩↩↩
-
Secureworks CTU. (2017, March 30). IRON TWILIGHT Supports Active Measures. Retrieved February 28, 2022. ↩