APT28 is a Russian hacking group that is recently known for the DNC hacking and the World Anti-Doping Agency (WADA) Olympic data leaks. APT28 is a group of hackers is associated with Sofacy, Pawn Storms, Fancy Bear and Sednit. This time they’re targeting OS X devices using a new trojan called Komplex. They’re distributing Komplex through phishing emails promising to give victims insights into the Russian space program. This new trojan was first discovered by Palo Alto Network researchers.
According to the researchers, “Apple does a great job at defending OS X. The only thing being exploited here is the user. But it’s important to remember, people are still a target no matter what OS you use.”
The emails sent to the victims contain file attachment, which has an encrypted payload of the executable malware file, a PDF and scripts. When this attachment is clicked upon, it unleashes Komplex malware, while the victims believe that they are opening a simple PDF file. The malware does open a 17 page PDF file named roskosmos_2015-2025.pdf on the OS X machine to make it look authentic.
The tool is capable of downloading additional files to the system, executing and deleting files, as well as directly interacting with the system shell. The Komplex dropper component is saved to the system as ‘/tmp/content’.
The malware installs another executable file on the machine and this file is launched whenever the OS X system starts. There are a number of checks built into the Komplex trojan. It sends a request out to Google to verify an internet connection and the trojan will sleep on the machine until an internet connection is made.
Here is a screenshot of the infected PDF:
Source: Palo Alto Networks