A mysterious group of hackers is currently targeting organizations from the Middle East industrial sector, according to a new report from antivirus firm Kaspersky. Dubbed WildPressure, the group, which is described as an APT (advanced persistent threat), employs a never-before-seen backdoor that researchers named Milum, after the C++ class names inside the code.
The WildPressure campaign was discovered in August last year, when researchers detected a previously unknown malware that has no similarities with other samples encountered in previous attacks.
“In August 2019, Kaspersky discovered a malicious campaign distributing a fully fledged C++ Trojan that we call Milum. All the victims we registered were organizations from the Middle East. At least some of them are related to industrial sector. Our Kaspersky Threat Attribution Engine (KTAE) doesn’t show any code similarities with known campaigns. Nor have we seen any target intersections. In fact, we found just three almost unique samples, all in one country. So we consider the attacks to be targeted and have currently named this operation WildPressure,” the researchers said.
Digging further, Kaspersky uncovered other samples of the same malware that infected systems as back as far as May 31, 2019. An analysis of Milum’s code revealed that the backdoor was compiled two months before, in March 2019.
In September 2019, the researchers were able to sinkhole one of the C2 domains used by the APT group (upiserversys1212[.]com). The vast majority of visitor IPs were from the Middle East, specifically from Iran, while the rest were network scanners, TOR exit nodes or VPN connections.
As of yet, the Milum’s spreading mechanism is unknown, and it is still unclear who is behind the campaign.
“Any similarities should be considered weak in terms of attribution, and may simply be techniques copied from previous well-known cases. Indeed, this “learning from more experienced attackers” cycle has been adopted by some interesting new actors in recent years.”
“We should also be cautious regarding the true targeting of this new set of activities, as it is probably too soon to jump to conclusions. The targeted nature seems to be clear, but the targeting itself might be limited by our own visibility. The malware is not exclusively designed against any kind of victim in particular and might be reused in other operations,” Kaspersky researchers noted.