WildPressure APT group is now targeting industrial organizations based in the Middle East. The group has been active since 2019, and this time it is using an enhanced version of a trojan. The trojan, named Milum, targets both Windows and macOS systems.
What has happened?
Kaspersky researchers have observed the new version being employed in recent attacks by WildPressure. It is named Milum due to the use of C++ class names inside the malware.
The malware targeted organizations operating in the energy sector of the Middle East.
It also has a VBScript variant, versioned the same (1.6.1), and several additional modules, including an orchestrator and three plugins.
Further investigation revealed the use of other samples of the same malware used in May 2019. Milum was created in March 2019 and is still under active development.
At that time, the attackers had rented the OVH and Netzbetrieb virtual private servers. Additionally, they registered their domain with Domains by Proxy anonymization service.
The WildPressure APT group has used Python programming language as well for their malware. A PyInstaller module is used for Windows using a script named Guard. It is developed for both Windows and macOS.
This newly developed Python-based trojan uses publicly available third-party code. After being executed, it collects system info and sends it back to a remote server.
In addition, the malicious code identifies running processes to find out installed security solutions onto the systems. After identifying the security solution, it awaits commands from the C2 server.
Kaspersky has also noted some similarities in the techniques of the WildPressure APT and BlackShadow, which also targets organizations in the Middle East. The observation, however, wasn’t enough to come to any attribution conclusion. Meanwhile, experts warn about the active development of malware that could be targeting the oil and gas industry in the region.