Has the Sofacy spy group started targeting Macs?

You will recall that the Russian group Fancy Bear hacked into the World Anti-Doping Agency’s medical records of Olympic athletes, and continues to leak details from those records. Well, the bad news is that it looks like that same group, known more generally as the Sofacy Group, has been targeting Macs, and will continue to launch directed phishing (‘spear phishing’) attacks against Macs.

The Unit 42 research group at Palo Alto Networks has just reported a Trojan which affects OS X (and, it appears, macOS Sierra) and is most likely a product of Sofacy: Komplex. What’s more, they have uncovered evidence that the MacKeeper exploit reported last year may also have been part of a campaign by Sofacy using the same payload.

Running the Trojan saves a decoy PDF document to your Mac, which is then opened using Preview. Currently the document used is in Russian, and about the Russian space programme, which makes Unit 42 suspect that – so far at least – Komplex has been used to attack the aerospace industry.

While you busy reading the PDF, Komplex drops its payload in your /tmp folder (which is not protected by SIP), which then installs malware in the /Users/Shared folder – three files names kextd (placed inside the hidden folder .local), com.apple.updates.plist, and start.sh. These set up persistence, and make contact with the Command and Control server: your Mac has then been taken over.

This Trojan is most probably sent as an email attachment to carefully selected victims. Patrick Wardle points out that its behaviour is detected by Objective-See’s free BlockBlock, and blocked.

Don’t open unsolicited PDF attachments, unless you want to get closer to Fancy Bear.

(Thanks to Patrick Wardle for drawing attention to this.)