The Komplex Trojan, as Palo Alto Networks named it, can download, execute, and wipe out files from an infected Mac.What makes it different for all the other Trojans? This one saves a decoy file named roskosmos_2015-2025.pdf to the system and opens it via the Preview application built into OS X. The file is named“Проект Федеральной космической программы России на 2016 – 2025 годы” and describes the Russian Federal Space Program’s projects from 2016 to 2025.
How does it work?
The purpose of the Trojan is to install and execute the Komplex payload on the infected OS X system. It copies the payload to “/Users/Shared/.local/kextd” (SHA256: 227b7fe495ad9951aebf0aae3c317c1ac526cdd255953f111341b0b11be3bbc5) and checks if it’s being debugged or not. If not, the payload checks for an anti-analysis/sandbox by submitting a GET request to Google, to check for Internet connectivity. If successful it connects to a remote server and sends : the system version, username, and process list to that server. The addresses used are : appleupdate.org
The payload also allows for additional files to be copied on the compromised system and is able to execute remote commands. The Trojan leverages an exploit in OS X’s MacKeeper, that’s how it is able to exploit it. However the user must click a malicious link before.
How to stay safe?
First don’t click on suspicious links associated with the above addresses. That’s easier said than done, right? WildFire, Palo Alto Networks own sandbox solution is able to detect this Trojan. You could sign up to test that tool and have some piece of mind. All in all it seems that aerospace workers have been targeted, therefore the infection is not widespread.