WildPressure APT group is now targeting industrial organizations based in the Middle East. The trojan, named Milum, targets both Windows and macOS systems. The new version being employed in recent attacks by WildPressure. It is named Milum due to the use of C++ class names inside the malware.

  • The malware targeted organizations operating in the energy sector of the Middle East.
  • It also has a VBScript variant, versioned the same (1.6.1), and several additional modules, including an orchestrator and three plugins.
  • Further investigation revealed the use of other samples of the same malware used in May 2019. Milum was created in March 2019 and is still under active development.
  • The attackers had rented the OVH virtual private servers.Additionally, they registered their domain with Domains by Proxy anonymization service.

Additional insights

The WildPressure APT group has used Python programming language as well for their malware. A Pyinstaller module is used for Windows using a script named Guard. It is developed for both Windows and macOS. 

  • This newly developed Python-based trojan uses publicly available third-party code. After being executed, it collects system info and sends it back to a remote server.
  • In addition, the malicious code identifies running processes to find out installed security solutions onto the systems. After identifying the security solution, it awaits commands from the C2 server.

Final thoughts

Researchers identified similarities in the techniques of the WildPressure APT and BlackShadow, which also targets organizations in the Middle East. The observation wasn’t enough to come to any attribution conclusion. Meanwhile, experts warn about the active development of malware that could be targeting the oil and gas industry in the region.