Middle East's Industrial Companies Targeted by WildPressure Malware
A malware campaign that shares no known similarities to previous attacks has been uncovered, targeting organizations in the Middle East. Dubbed “WildPressure,” the campaign used a previously unknown malware that researchers named Milum, after the C++ class names inside the code.
According to researchers at Kaspersky, which sinkholed one of the WildPressure command-and-control (C2) domains in September, the vast majority of visitor IPs to the operators’ malicious infrastructure were from the Middle East, with the rest being made up of scanners, TOR exit nodes or VPN connections. Among the victims are some industrial targets, the firm found.
The malware carries out basic system reconnaissance, including inventorying the types of files housed on infected machines, according to the research. And, it can fetch updates from its C2, which could include additional, second-stage functionality.
Once installed, the malware will create a directory called “\ProgramData\Micapp\Windows\,” and parse this configuration data in order to form a beacon to send to its C2.
To send the beacon, Milum transmits compressed JSON data in HTTP POST requests that are encrypted with RC4, using a 64-byte key stored in the configuration data. For compression, the trojan uses an embedded gzip code (gzip is a popular data-compression technology).
The most widespread sample that Kaspersky researchers have seen in their telemetry is an application that exists as an invisible toolbar window – meaning that it’s undetectable to victims.
Researchers found three samples of the trojan circulating in the wild. All of them were first compiled last March, and infections began at the end of last May – they continued throughout the year.