Apple OS X machines targeted by new Komplex Trojan

Researchers have discovered new malware targeting Apple Mac computers which they have linked to a hacking group widely thought to be connected to Russian intelligence agencies.

Decoy document used by Sofacy Group to hide the activation of the Komplex malware.

Known as Komplex, the OS X Trojan was found by Palo Alto Networks' Unit 42 researchers as part of their tracking of the Sofacy Group. 

Sofacy has been active since at least 2007, and is also known as Fancy Bear, Pawn Storm, APT28 and Sednit.

The hacking group has attacked government agencies in Eastern Europe and the West as well as media organisations. It is believed to be behind the data breach at the National Committee of the Democratic Party in the United States which saw damaging emails and private data leaked.

In September this year, the group released data stolen from the World Anti Doping Agency on athletes taking part in the 2016 Rio Olympics. At the time, WADA openly accused Russia of being behind the hack.

The Palo Alto researchers say Sofacy has now turned its attention to the aerospace sector, using the Komplex malware to target individuals in the field.

The Trojan Horse malware exploits a vulnerability in the MacKeeper security application to drop a payload on target computers with the help of a email phishing campaign.

A 17-page document in Adobe PDF format is opened using the OS X Preview application as a decoy, while Komplex runs executable files in the background.

Once installed, Komplex is able to exfiltrate user information as well as download additional files, delete data, and directly interact with the system through shell commands, the researchers said.

Komplex shares code with the Carberp banking malware for Windows, the researchers said. They were able to connect its command and control server infrastructure to earlier malware attacks by the Sofacy Group.

The researchers were unable to identify those behind the Sofacy Group.