Komplex malware returns: Mac users beware
Before we start
Having spent some years coding applications for macOS, we’ve created a tool that everybody can use. The all-round problem fixer for Mac.
So here’s a tip for you: Download CleanMyMac to quickly solve some of the issues mentioned in this article. But to help you do it all by yourself, we’ve gathered our best ideas and solutions below.
Komplex malware: What to watch for?
First discovered - or rather, re-discovered in 2017, BitDefender broke the news that Sofacy’s XAgent macOS Tool was back. This is an Apple-focused variant of a Windows and Linux virus that infected thousands of devices worldwide. Not only was it back, but it also came with reinforced capabilities, including the tools to steal iPhone and iPad backups from Macs.
Shortly after the story first broke, Palo Alto Networks (PAN) - a trusted security provider known for uncovering viruses and providing security analysis and fixes - went into more detail about Komplex, also known as XagentOSX.
Komplex is only part of a larger puzzle, as per the report.
We believe Sofacy may use Komplex to download and install the XAgentOSX tool to use its expanded command set on the compromised system.
Interestingly, and one reason this malware virus is worse than most, the creators are believed to be the Sofacy Group. A Russian state-backed cyber espionage group, also known as Fancy Bear, APT28, Pawn Storm, and Sednit. This group is responsible for attacks on the Democratic National Committee (DNC) in the U.S. and the world anti-doping agency. So if they've launched Komplex and XAgentOSX, we can assume extensive resources have gone into making sure it spreads and isn’t detected or removed from infected Macs easily.
What is Komplex, and what does it do?
Komplex is merely part of a larger cybersecurity puzzle. Komplex is effectively the launch agent for XAgentOSX, which now comes with an expanded command set and capabilities to harvest more information from an infected device.
Once downloaded - which can come through various sources - the macOS variant of XAgent sends data, including the logging of keystrokes to its command-and-control servers using HTTP POST requests. It also actively sends GET requests to receive further instructions, thereby acting as a Trojan, except that a Mac has been compromised without any outward signs. It also uses the RC4 algorithm to encrypt the data it transmits back to the group behind this attack.
As can be expected, on an infected Mac, this virus can gather system information, control data by uploading, downloading, or deleting it, take screenshots, and steal passwords stored in Firefox. Plus, it uses the controls at its disposal to search for backups in the BackupIosFolder, and then extract that data. iOS backups aren’t small, therefore increasing the risk of detection, so we can assume that it searches for more specific information, such as social network app passwords or financial details, before stealing that data and leaving the rest of the backup untouched.
It concerns that it was unknown where XAgentOSX and Komplex were hiding within a Mac at the time of discovery. The only way of knowing if you were infected was to check traffic to and from the following sources:
23.227.196[.]215
apple-iclods[.]org
apple-checker[.]org
apple-uptoday[.]org
apple-search[.]info
72.5.65[.]94
Because XAgentOSX originated from XAgent, an attack done under the group's other name, Pawn Storm, whereby iOS devices of government officials and journalists were hacked, we can expect a high level of sophistication and risk for anyone in any sector that might be of interest to a hostile Russian-backed group.
It is worth checking to see if your Mac is infected and removing this cyber threat as soon as possible.
How to remove Komplex manually?
Hopefully, yes, this can be removed by following these steps:
- Open the Finder menu
- Search through the following folders: replacing $USER with your own home folder name:
- /Users/$USER/Library/LaunchAgents/com.apple.updates.plist
- /Users/Shared/.local/kextd
- /Users/$USER/Library/LaunchAgents/com.apple.updates.plist
- If an infection shows up, remove those unexpected files to the trash, delete them, and reboot.
- Go back and check there are no other signs of an infection.
How to remove Komplex with CleanMyMac
Yes, with CleanMyMac X. No need to worry about deleting anything your Mac needs.
CleanMyMac X is a powerful Mac guardian, keeping your Mac safe from malware infections. It is also an essential performance improvement tool, uncovering and clearing loads of junk from your Mac, making it operate as good as new.
When it comes to unwanted malware, here is how you use it to restore your Mac to perfect health:
- Download CleanMyMac X
- Launch the app.
- Click on the Malware Removal tab.
- Click Scan to scan your system for any threats.
- Click Remove, and they will vanish for good.
Komplex and XAgentOSX are malicious and have no place on Mac devices. Not every virus scanner can detect them, and removing them manually isn’t advisable unless you are confident you’ve discovered the right files to remove. With the right tool to protect your Mac, you can rescue your Mac from this virus.
