WildPressure ATP group, known for its repeating attacks against the oil and gas sector in the Middle East, has recently upgraded its malicious toolkit with a new version of Milum Trojan. The enhancements made to the strain allow adversaries to compromise macOS devices alongside traditional Windows systems. According to security experts, the Trojan is able to collect sensitive data, execute commands, and upgrade itself following the infection.
Security researchers from Kaspersky have recently identified a new version of the notorious Milum Trojan used by WildPressure APT to target the Middle East energy sector.
Milum was initially discovered in March 2020, being a fully-fledged remote access Trojan written in C++. However, the malware has undergone extensive upgrades since then. Now researchers observe at least three versions of the threat operating in the wild, including the enhanced C++ version, a corresponding VBScript variant called “Tandis”, and a Python script dubbed “Guard.”
The “Tandis” variant performs similar functions as the original Milum version, allowing threat actors to gather system data and execute malicious commands. Yet, the VBScript-based strain can apply encrypted XML over HTTP to perform command-and-control (C&C) communications.
The Python-based version was first detected in September 2020, having the all necessary libraries and a Python Trojan able to target both Windows and macOS devices. The dedicated macOS variant is distributed as PyInstaller, however, it is frequently used within the multi-OS “Guard” version of Milum. “Guard” is able to collect system information, download and upload arbitrary files, execute malicious commands, self-update, and evade detection.
In addition to “Tandis” and “Guard,” security researchers have recently identified new C++ modules responsible for taking screenshots and capturing keystrokes, which means that the initial C++ version is also under development and receiving major upgrades.
The latest shift in the activity of the WildPressure APT is also aimed at the energy and industrial sector within the Middle East region. Previously, hackers obtained OVH and Netzbetrieb virtual private servers (VPS) and a domain registered with Domains by Proxy anonymization service to proceed with malicious activity. However, the latest campaign also leverages the compromised WordPress websites to disseminate the “Guard” version of the Milum Trojan.
Although the infection mechanism is currently not clear and there are no major code similarities with other hacker groups, security researchers were able to identify some slight overlap in TTPs used by the BlackShadow hacker collective. These findings suggest that WildPressure might partner with other adversaries to carry this malicious operation.
To identify the malicious activity associated with WildPressure APT and protect your company infrastructure, you can download a community Sigma rule released by the SOC Prime team:
SIEM & SECURITY ANALYTICS: Azure Sentinel, Chronicle Security, ArcSight, QRadar, Splunk, Sumo Logic, ELK Stack, LogPoint, Humio, RSA NetWitness, FireEye, Apache Kafka ksqlDB
EDR: SentinelOne, Carbon Black
Tactics: Persistence, Privilege Escalation
Techniques: Create or Modify System Process (T1534), Exploitation of Remote Services (T1210)
Subscribe to Threat Detection Marketplace for free and reach the industry-leading Content-as-a-Service (CaaS) platform that powers complete CI/CD workflow for threat detection. Our library aggregates over 100K qualified, cross-vendor, and cross-tool SOC content items mapped directly to CVE and MITRE ATT&CK® frameworks. Enthusiastic to craft your own Sigma rules? Join our Threat Bounty program and get rewarded for your input!