WildPressure, an advanced persistent threat (APT) actor active in the Middle East since August 2019, has added a new malware variant that targets both Windows and macOS devices.
The APT group first came to light in 2019 when researchers at Kaspersky discovered a malicious campaign distributing a fully fledged C++ trojan, which they named “Milum” that allowed the attackers to gain remote control of the targeted device.
The operation targeted organizations from the Middle East, with some of them related to industrial sector. For their campaign infrastructure, the threat actors used rented OVH and Netzbetrieb virtual private servers (VPS) and a domain registered with the Domains by Proxy anonymization service.
“We were able to sinkhole one of the WildPressure C2 domains (upiserversys1212[.]com) in September 2019. The vast majority of visitor IPs were also from the Middle East, and we believe the rest were network scanners, TOR exit nodes or VPN connections,” the researchers said.
Now the group resurfaced with the upgraded malware targeting both Windows and macOS systems. This variant “was delivered in a package, which included the malware, Python library and a script named ‘Guard’. This enabled the malware to launch both on Windows and macOS with little additional efforts. Once infecting the device, the malware runs operating system-dependent code for persistence and data gathering. On Windows, the script is bundled into an executable with a PyInstaller. The Python trojan is also capable of checking whether security solutions are being run on a device,” the researchers said.
The malware supports multiple commands, including the ability to download and upload arbitrary files, execute commands, update itself, and clean up, remove persistence and the script file from the infected host.
“To date, we don’t have any data regarding Milum’s spreading mechanism. A campaign that is, apparently, exclusively targeting entities in the Middle East (at least some of them are industrial-related) is something that automatically attracts the attention of any analyst. Any similarities should be considered weak in terms of attribution, and may simply be techniques copied from previous well-known cases. Indeed, this “learning from more experienced attackers” cycle has been adopted by some interesting new actors in recent years,” Kaspersky noted.