Say what you will about Russian hacking group “Fancy Bear,” but they’ve definitely got a sense of style. Fancy Bear is the group widely believed to be responsible for hacking the Democratic National Committee’s servers. Now, authorities believe the group has developed a form Trojan called Komplex, which targets Mac users.
Like most other malware, once installed on a target system, it faithfully reports data back to the software’s owners and controllers, and can be used to edit, view, copy and delete files on the infected system. Where it gets interesting is the fact that in addition to this, in an apparent display of nationalistic pride, it also places a copy of a PDF on the infected system that details projects that the Russian Space Program has planned between 2016 and 2025.
The Trojan appears to infect target computers by exploiting a known vulnerability in the MacKeeper antivirus software. This vulnerability causes Macs to accept and execute remote commands, and can be triggered by specially crafted web pages. In this case, web pages are designed to mimic the appearance of Russian aerospace companies. There is some evidence that the Komplex Trojan is related to (and shares code with) another malware program called Carberp, which the group has used to infiltrate various agencies of the US government.
All indications are that this software is being used to target a highly specific group of users, although the researchers have been unable to identify a definitive pattern. They are still not sure what group that might be. In any case, it does not appear that this Trojan is being used in any sort of widespread attack.
Even so, it exhibits the dangers that the business community faces in today’s computing environment. Not only are the attacks themselves becoming increasingly complex and sophisticated – the hackers are also branching out, targeting ever smaller groups with tremendous precision. If you employ any people with an interest in Russian space technology, and they use Apple products, be aware of this one.