APT28 is back, delivers Mac OS X Trojan to aerospace employees

The infamous APT28 group is targeting users running OS X on their computers to install spying Trojans, according to Unit 42 researchers.

APT28, also known as Sofacy, is a Russian cyber-criminal group known to target high-profile government, military and security organizations using sophisticated tools and capabilities.

In December 2015, Bitdefender uncovered a massive global intelligence-gathering campaign operated by this group, targeting top political figures, government institutions, telecommunication, e-crime services and aerospace companies.

We have reasons to believe that the operators of the APT28 network are either Russian citizens or citizens of a neighboring country that speak Russian,” Bitdefender researchers said at the time. “Our assumption is supported by different markers identified during analysis.”

With this attack, APT28 is aiming at individuals from the aerospace industry. A Trojan dubbed “Komplex” is delivered on OSX systems by exploiting a vulnerability in the MacKeeper antivirus application. It acts as a communication tool, and can download, execute and delete files from the system. As a decoy, it also installs a PDF file about the Russian space program.

Researchers have also observed a striking similarity with the Carberp Trojan in terms of functionality and code. The benefit of using the same functions in both Windows and OS X Trojans” is that it would require fewer alterations to the C2 server application to handle cross-platform implants.”

We also discovered Komplex command and control (C2) domains that overlapped with previously identified phishing campaign infrastructures associated with the Sofacy group,” researchers said. “We believe (it) may have been done in order to handle compromised Windows and OS X systems using the same C2 server application with relative ease.”

“The Sofacy group created the Komplex Trojan to use in attack campaigns targeting the OS X operating system – a move that showcases their continued evolution toward multi-platform attacks,” they added.