A malware campaign that shares no known similarities to previous attacks has been uncovered, targeting organizations in the Middle East. Dubbed “WildPressure,” the campaign used a previously unknown malware that researchers named Milum, after the C++ class names inside the code.
According to researchers at Kaspersky, which sinkholed one of the WildPressure command-and-control (C2) domains in September, the vast majority of visitor IPs to the operators’ malicious infrastructure were from the Middle East, with the rest being made up of scanners, TOR exit nodes or VPN connections. Among the victims are some industrial targets, the firm found.
The malware carries out basic system reconnaissance, including inventorying the types of files housed on infected machines, according to the research. And, it can fetch updates from its C2, which could include additional, second-stage functionality.
Simple and Direct
The approach used to build the trojan is very straightforward, according to Denis Legezo, security researcher with Kaspersky, writing in a post on Tuesday. For instance, all of the Milum samples are standalone executable files, the researcher discovered.
Further, the code’s built-in configuration data includes hardcoded C2 URLs and encryption/decryption keys for communication. Once installed, the malware will create a directory called “\ProgramData\Micapp\Windows\,” and parse this configuration data in order to form a beacon to send to its C2.
To send the beacon, Milum transmits compressed JSON data in HTTP POST requests that are encrypted with RC4, using a 64-byte key stored in the configuration data. For compression, the trojan uses an embedded gzip code (gzip is a popular data-compression technology).
The most widespread sample that Kaspersky researchers have seen in their telemetry is an application that exists as an invisible toolbar window – meaning that it’s undetectable to victims.
Difficult Attribution
As for functionality, the command handlers in Milum’s code include instructions for connecting to the C2; logging file attributes, including those in the directory (marked as hidden, read only, archive, system or executable); gathering system information to validate the target and determine antivirus product status; updating the malware; and deleting itself.
To focus their efforts, the operators use target IDs that are also hardcoded in the samples.
“Among them, we found HatLandM30 and HatLandid3 – neither of which we are familiar with,” Legezo said.
However, the rest of the campaign defies any fingerprinting, making attribution difficult, according to Kaspersky. In terms of campaign infrastructure, the operators used rented virtual private servers (VPS) from ISPs OVH and Netzbetrieb, and a domain registered with the Domains by Proxy anonymization service, for instance.
Also, the C++ code approach used by the malware authors (base64-encoded JSON-formatted configuration data stored in the binary’s resource section) is fairly generic, Legezo wrote.
“To date we haven’t observed any strong code- or victim-based similarities with any known actor or set of activity,” Legezo explained. “Any similarities should be considered weak in terms of attribution, and may simply be techniques copied from previous well-known cases. Indeed, this ‘learning from more experienced attackers’ cycle has been adopted by some interesting new actors in recent years.”
Worth Watching
Researchers found three samples of the trojan circulating in the wild. All of them were first compiled last March, and infections began at the end of last May – they continued throughout the year.
This timeline, combined with other aspects, lead Legezo to suspect that the malware is in the early stages of development – and that other activity is to be expected.
First, there is a “version 1.0.1” stamp on the samples. And, inside the HTTP POST requests used to communicate with the command-and-control (C2) server, there are fields for choosing different programming languages — indicating that there are plans for non-C++ versions of the code, if they don’t already exist.
“The only reason that we could think of for keeping these is if the attackers have several trojans, written in different languages, to work with the same control server,” Legezo said.
Milum bears watching – especially given its attacks on Mideast industrial targets, Legezo added. However, its sheer lack of personality could allow it to become a bit of a chameleon in future campaigns, he concluded: “The malware is not exclusively designed against any kind of victim in particular and might be reused in other operations.”
Do you suffer from Password Fatigue? On Wednesday April 8 at 2 p.m. ET join Duo Security and Threatpost as we explore a passwordless future. This FREE webinar maps out a future where modern authentication standards like WebAuthn significantly reduce a dependency on passwords. We’ll also explore how teaming with Microsoft can reduced reliance on passwords. Please register here and dare to ask, “Are passwords overrated?” in this sponsored webinar.