A targeted and ongoing malicious campaign first spotted last year has hit organizations in the Middle East with a new, fully-fledged Trojan, Kaspersky reveals.
Referred to as WildPressure, the campaign does not seem related to other attacks, and initially only three, almost unique samples of the Trojan were observed, all in one country. The attacks were aimed at various organizations, some related to the industrial sector.
Dubbed Milum, the Trojan used in these attacks is written in C++, with all of the observed samples featuring compilation timestamps of March 2019 and the first infections dated May 31, 2019.
The attackers’ infrastructure included rented virtual private servers (VPS) and a domain that was registered using the Domains by Proxy anonymization service.
After managing to sinkhole one of the WildPressure command and control (C&C) domains in September, Kaspersky discovered that most of the visitors’ IP addresses were from the Middle East, with the rest believed to be network scanners, Tor exit nodes or VPN connections.
Milum, Kaspersky told SecurityWeek, is a complete piece of malware, but its developers continue to make improvements. The company suggests that the developers might be considering the release of non-C++ versions as well.
Analysis of the malware revealed the use of the JSON format for configuration data and for communication with the C&C server — files are sent in HTTP POST requests. The RC4 algorithm is used for encryption, with different 64-bit keys for different victims.
The observed samples are compiled as standalone PE files, the malware exports lots of zlib compression functions — the compression is needed for C&C communication — and uses HKCU autorun system registry keys Run and RunOnce for persistence.
Kaspersky’ ..
Support the originator by clicking the read the rest link below.
