Table of Contents
July 8, 2021
|3m
WildPressure APT Malware Campaign Targets Windows And MacOS
Researchers have observed a new WildPressure APT malware campaign by threat actors aka WildPressure distributing C++ Trojan dubbed as “Milum”, a VBScript variant with the version (1.6.1) and a set of modules that include an Orchestrator, Fingerprint, Keylogging, & Screenshot plugins. And a Python script dubbed “Guard” enables the threat actor to gain remote control of the compromised system. Python version of this malware is designed and developed to target both Windows as well as macOS operating systems.
Look at the Version system. It has been said that the malware is still under active development. This time WildPressure APT malware campaign has started using compromised WordPress websites along with commercial VPS (Virtual Private Servers) to carry out the campaign.
The analysis found that the Python malware is developed based on publicly available third-party codes. On top of that, the malware uses standard Python libraries for fingerprinting both Windows and macOS operating systems.
Both the malware are capable of doing silently execute the command, file downloads, update scripts, cleaning and remove the scripts after execution, file uploads, OS fingerprinting, and the malware can also gather applications installed on the host.
Targets Of WildPressure APT Malware Campaign:
The primary targets of this campaign are mostly oil and gas industries from middle east Asian countries. There are no insights available on other targets in the research.
Indicators Of Compromise (IOCs) To Detect WildPressure APT Malware:
Python multi-OS Trojan:
| SHA1 | 72FC1D91E078F0A274CA604785117BEB261B870 |
| File type | PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows |
| File size | 3.3 MB |
| File name | svchost.exe |
VBScript self-decrypted variant:
| SHA1 | CD7904E6D59142F209BD248D21242E3740999A0D |
| File type | Self-decrypting VBScript |
| File size | 51 KB |
| File name | l2dIIYKCQw.vbs |
Orchestrator:
| SHA1 | FA50AC04D601BB7961CAE4ED23BE370C985723D6 |
| File type | PE32 executable (console) Intel 80386, for MS Windows |
| File size | 87 KB |
| File name | winloud.exe |
Fingerprinting plugin:
| SHA1 | c34545d89a0882bb16ea6837d7380f2c72be7209 |
| File type | PE32 executable (DLL) (GUI) Intel 80386, for MS Windows |
| File size | 194 KB |
| File name | GetClientInfo.dll |
Keylogging plugin:
| SHA1 | fb7f69834ca10fe31675bbedf9f858ec45c38239 |
| File type | PE32 executable (DLL) (GUI) Intel 80386, for MS Windows |
| File size | 90.5 KB |
| File name | Keylogger.dll |
Screenshot plugin:
| SHA1 | 2bb6d37dbba52d79b896352c37763d540038eb25 |
| File type | PE32 executable (DLL) (GUI) Intel 80386, for MS Windows |
| File size | 78 KB |
| File name | ScreenShot.dll |
IP Addresses:
hxxp://107.158.154[.]66/core/main.phphxxp://185.177.59[.]234/core/main.phphxxp://37.59.87[.]172/page/view.phphxxp://80.255.3[.]86/page/view.phphxxp://www.mwieurgbd114kjuvtg[.]com/core/main.php
File Hashes:
Milum version 1.6.10efd03fb65c3f92d9af87e4caf667f8e
PyInstaller with Guard92A11F0DCB973D1A58D45C995993D854 (svchost.exe)
Self-decrypting Tandis VBScript861655D8DCA82391530F9D406C31EEE1 (l2dIIYKCQw.vbs)
OrchestratorC116B3F75E12AD3555E762C7208F17B8 (winloud.exe)
PluginsF2F6604EB9100F58E21C449AC4CC4249 (ScreenShot.dll)D322FAA64F750380DE45F518CA77CA43 (Keylogger.dll)9F8D77ECE0FF897FDFD8B00042F51A41 (GetClientInfo.dll)
File paths
macOS .plist files$HOME/Library/LaunchAgents/com.apple.pyapple.plist $HOME/Library/LaunchAgents/apple.scriptzxy.plist
Config files under Windows%APPDATA%\Microsoft\grconf.dat%APPDATA%\Microsoft\vsdb.dat%ALLUSERSPROFILE%\system\thumbnail.dat%ALLUSERSPROFILE%\Application Data\system\Windows\thumbnail.dat
Config files under macOS$HOME/.appdata/grconf.dat
Registry valuesSoftware\Microsoft\Windows\CurrentVersion\RunOnce\gd_system
WQL queries examplesSELECT * FROM Win32_Process WHERE Name = ‘<all enumerated names here>’ Select * from Win32_ComputerSystemSelect * From AntiVirusProduct Select * From Win32_Process Where ParentProcessId = ‘<all enumerated ids here>’
Milum C2hxxp://107.158.154[.]66/core/main.phphxxp://185.177.59[.]234/core/main.phphxxp://37.59.87[.]172/page/view.phphxxp://80.255.3[.]86/page/view.phphxxp://www.mwieurgbd114kjuvtg[.]com/core/main.php
Recommendation To Be Protected From WildPressure APT Malware Campaign
Analyze Firewall and Internet proxy logs for the presence of mentioned IOCs.
Avoid handling files or URL links in emails, chats, or shared folders from untrusted sources.
Provide phishing awareness training to your employees/contractors.
Keep Anti-malware solutions at the endpoint and network-level updated at all times.
Deploy Endpoint Detection & Response (EDR) tools to detect the latest malware and suspicious activities on endpoints.
Thanks for reading the post. Read more such interesting articles If you find this post interesting.
You may also like these articles:
Arun KL
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
