A malicious campaign that has set its sights on industrial-related entities in the Middle East since 2019 has resurfaced with an upgraded malware toolset to strike both Windows and macOS operating systems, symbolizing an expansion in both its targets and its strategy around distributing threats.
Russian cybersecurity firm attributed the attacks to an advanced persistent threat (APT) it tracks as “WildPressure,” with victims believed to be in the oil and gas industry.
WildPressure first came to light in March 2020 based off of a malware operation distributing a fully-featured C++ Trojan dubbed “Milum” that enabled the threat actor to gain remote control of the compromised device. The attacks were said to have begun as early as August 2019.
“For their campaign infrastructure, the operators used rented OVH and Netzbetrieb virtual private servers (VPS) and a domain registered with the Domains by Proxy anonymization service,” Kaspersky researcher Denis Legezo noted last year.
Since then, new malware samples used in WildPressure campaigns have been unearthed, including a newer version of the C++ Milum Trojan, a corresponding VBScript variant with the same version number, and a Python script named “Guard” that works across both Windows and macOS.
The Python-based multi-OS Trojan, which extensively makes of publicly available third-party code, is engineered to beacon the victim machine’s hostname, machine architecture, and OS release name to a remote server and check for installed anti-malware products, following which it awaits commands from the server that allow it to download and upload arbitrary files, execute commands, update the Trojan, and erase its traces from the infected host.
The VBScript version of the malware, named “Tandis,” features similar capabilities to that of Guard and Milum, while leveraging encrypted XML over HTTP for command-and-control (C2) communications. Separately, Kaspersky said it found a number of previously unknown C++ plugins that have been used to gather data on infected systems, including recording keystrokes and capturing screenshots.
What’s more, in what appears to be an evolution of the modus operandi, the latest campaign — besides relying on commercial VPS — also weaved compromised legitimate WordPress websites into their attack infrastructure, with the websites serving as Guard relay servers.
To date, there’s neither clear visibility regarding the malware spreading mechanism nor any strong code- or victim-based similarities with other known threat actors. However, the researchers said they spotted minor ties in the techniques used by another adversary called BlackShadow, which also operates in the same region.
The “tactics aren’t unique enough to come to any attribution conclusion – it’s possible both groups are simply using the same generic techniques and programming approaches,” Legezo said.