Return of Komplex: Mac users watch out

Komplex malware: What to watch for?

First discovered - or rather, re-discovered in 2017, BitDefender broke the news that Sofacy’s XAgent macOS Tool was back. This is an Apple-focused variant of a Windows and Linux virus that infected thousands of devices across the world. Not only was it back, it came with reinforced capabilities, including the tools to steal iPhone and iPad backups from Macs.

Shortly after the story first broke, Palo Alto Networks (PAN) - a trusted security provider known for uncovering viruses and providing security analysis and fixes - went into more detail about Komplex, also known as XagentOSX.

Komplex is only part of a larger puzzle, as per the report.

We believe it is possible that Sofacy uses Komplex to download and install the XAgentOSX tool to use its expanded command set on the compromised system.

Interestingly, and one of the reasons this malware virus is worse than most, the creators are believed to be the Sofacy Group. A Russian state-backed cyber espionage group, also known as Fancy Bear, APT28, Pawn Storm and Sednit. This group is responsible for attacks on the Democratic National Committee (DNC) in the U.S. and the world anti-doping agency. So if they've launched Komplex and XAgentOSX, we can assume extensive resources have gone into making sure it spreads and isn’t detected or removed from infected Macs easily.

What is Komplex and what does it do?

Komplex is merely part of a larger cyber security puzzle. Komplex is effectively the launch agent for XAgentOSX, which now comes with an expended command set and capabilities to harvest more information from an infected device.

Once downloaded - which can come through a variety of sources - the macOS variant of XAgent sends data, including the logging of keystrokes to its command-and-control servers using HTTP POST requests. It also actively sends GET requests to receive further instructions, thereby acting similar to a Trojan, except without any outward signs that a Mac has been compromised. It also uses the RC4 algorithm to encrypt the data it transmits back to the group behind this attack.

As can be expected, on an infected Mac, this virus can gather system information, control data by uploading, downloading or deleting it, take screenshots and steal passwords stored in Firefox. Plus it uses the controls at its disposal to search for backups in the BackupIosFolder, and then extract that data. iOS backups aren’t small, therefore increasing the risk of detection, so we can assume that it searches for more specific information, such as social network app passwords or financial details before stealing that data and leaving the rest of the backup untouched.

It is concerning that at the time of discovery, it was unknown where XAgentOSX and Komplex were hiding within a Mac. The only way of knowing if you were infected was to check traffic to and from the following sources:

23.227.196[.]215

apple-iclods[.]org

apple-checker[.]org

apple-uptoday[.]org

apple-search[.]info

72.5.65[.]94

Because XAgentOSX originated from XAgent, an attack done under the groups other name, Pawn Storm, whereby iOS devices of government officials and journalists were hacked, we can expect a high-level of sophistication and risk for anyone in any sector that might be of interest to a hostile Russian-backed group.

It is worth checking to see if your Mac is infected and removing this cyber threat as soon as possible.


How to remove Komplex manually?

Hopefully, yes, this can be removed by following these steps:

  1. Open the Finder menu
  2. Search through the following folders: replacing $USER with your own home folder name:
  •  /Users/$USER/Library/LaunchAgents/com.apple.updates.plist
  • /Users/Shared/.local/kextd

3. If an infection shows up, remove those unexpected files to the trash, delete them and reboot.

4. Go back and check there are no other signs of an infection.

Note: When removing any virus manually, do check that you aren't deleting anything that your Mac actually needs to operate.

How to remove Komplex with CleanMyMac

Yes, with CleanMyMac X. No need to worry about deleting anything your Mac needs.

CleanMyMac X is powerful Mac guardian, keeping your Mac safe from malware infections. It is also an essential performance improvement tool, uncovering and clearing loads of junk from your Mac, making it operate as good as new. 

When it comes to unwanted malware, here is how you use it to restore your Mac to perfect health:

  1. Download CleanMyMac X
  2. Launch the app
  3. Click on the Malware Removal tab
  4. Click Scan to scan your system for any threats
  5. Click Remove and they will vanish for good.

Komplex and XAgentOSX are malicious and have no place on Mac devices. Not every virus scanner is capable of detecting them, and removing them manually isn’t advisable unless you are confident you’ve discovered the right files to remove. With the right tool to protect your Mac, you can rescue your Mac from this virus.

CleanMyMac X
CleanMyMac X

Your Mac. As good as new.