A sophisticated malware campaign targeting industrial sectors in the Middle East has resurfaced, equipped with advanced tools designed to compromise both Windows and macOS operating systems. This resurgence indicates a tactical shift in both the targets and the methods employed in spreading the malware.
According to a recent analysis by a Russian cybersecurity firm, this attack has been linked to an advanced persistent threat (APT) group identified as “WildPressure.” The victims are primarily believed to be companies operating within the oil and gas industry.
WildPressure came into the cybersecurity spotlight in March 2020 through the deployment of a C++ Trojan called “Milum,” which granted attackers remote access to compromised devices. Initial activities reportedly began as early as August 2019.
Kaspersky researcher Denis Legezo has pointed out that the attackers utilized rented virtual private servers (VPS) from OVH and Netzbetrieb, along with a domain secured through the Domains by Proxy service for obfuscation. New malware variants associated with these campaigns have been discovered, including an updated version of the Milum Trojan, a VBScript variant matching Milum’s version, and a Python script called “Guard,” capable of operating on both Windows and macOS platforms.
The multi-operating system Trojan written in Python leverages publicly available third-party code to perform reconnaissance on the infected machine, including sending the machine’s hostname, architecture, and OS version to a remote server. It also detects installed anti-malware solutions, waits for commands from the command-and-control server, and can download and upload files, execute operations, and clean up its traces on the device.
The VBScript variant, termed “Tandis,” shares capabilities reminiscent of its counterparts, utilizing encrypted XML for command-and-control communications. Kaspersky has also uncovered previously unidentified C++ plugins designed to gather information from infected systems, such as capturing keystrokes and taking screenshots.
Significantly, this latest campaign has evolved to incorporate compromised legitimate WordPress sites as part of the attack infrastructure, further diversifying the methods of deployment. While there remains uncertainty regarding the mechanisms used for malware propagation, researchers identified minor similarities in techniques associated with another adversary, BlackShadow, operating in the same geographic area.
However, as Legezo cautioned, the tactics utilized are not sufficiently distinctive to draw definitive attribution conclusions, suggesting that both groups may simply be employing common techniques and coding strategies.
