Researchers from Kaspersky have identified a malicious malware campaign which was targeting many industries in Middle East since 2019 has added the capabilities to attack both the Windows and MacOS operating systems.
Kaspersky has said that this specific APT is tracked under “WildPressure” and said that they have identified a newer version with C++ Milum Trojan along with VBScript variant, an orchestrator and three plugins to support its campaign.
Researchers also observed that the same variant was written in python language with the help from Pyinstaller module for windows also contains a script with name “Guard” .which confirms that this specific malware is written for both the Windows and macOS operating systems.
The versioning system shows that the malware used by WildPressure is still under active development. Besides commercial VPS, this time the operators used compromised legitimate WordPress websites. With low confidence this time, we believe their targets to be in the oil and gas industry.
If previously the operators used readable “clientids” like “HatLandid3”, the new ones we observed in the Milum samples appear to be randomized like “5CU5EQLOSI” and “C29QoCli33jjxtb”. reads the blog.
Researchers also noted that this specific malware supports multiple commands with the ability to download /upload files, execute OS commands. Apart from that they also observed that this specific malware uses publicly available codes and once after the execution on victim machine the malware tries to do recon activity such as system info, architecture info, etc and exfiltrates the same to the external C2 Servers.
“On macOS, Guard enumerates running processes using the “ls /Applications” command and compares the results against a list of security solutions: [“kaspersky security.app”,”kaspersky anti-virus for mac.app” , “intego”, “sophos anti-virus.app” , “virusbarrier.app”,”mcafee internet security.app”]”
“We consider with high confidence that the aforementioned Tandis VBScript, PyInstaller and C++ samples belong to the same authors that we dubbed WildPressure due to the very similar coding style and victim profile.” reads the blog.
CyberWorkx readers can download and incorporate the IOC’s for the malware campaign on their security controls via this link.
–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1