• Home
  • |
  • Blog
  • |
  • WildPressure APT Malware Campaign Targets Windows And MacOS
WildPressure APT Malware campaign

Researchers have observed a new WildPressure APT malware campaign by threat actors aka WildPressure distributing C++ Trojan dubbed as “Milum”, a VBScript variant with the version (1.6.1) and a set of modules that include an Orchestrator, Fingerprint, Keylogging, & Screenshot plugins. And a Python script dubbed “Guard” enables the threat actor to gain remote control of the compromised system. Python version of this malware is designed and developed to target both Windows as well as macOS operating systems.

Look at the Version system. It has been said that the malware is still under active development. This time WildPressure APT malware campaign has started using compromised WordPress websites along with commercial VPS (Virtual Private Servers) to carry out the campaign.

The analysis found that the Python malware is developed based on publicly available third-party codes. On top of that, the malware uses standard Python libraries for fingerprinting both Windows and macOS operating systems.

Both the malware are capable of doing silently execute the command, file downloads, update scripts, cleaning and remove the scripts after execution, file uploads, OS fingerprinting, and the malware can also gather applications installed on the host.

Targets Of WildPressure APT Malware Campaign:

The primary targets of this campaign are mostly oil and gas industries from middle east Asian countries. There are no insights available on other targets in the research.

Indicators Of Compromise (IOCs) To Detect WildPressure APT Malware:

Python multi-OS Trojan:

SHA172FC1D91E078F0A274CA604785117BEB261B870
File typePE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
File size3.3 MB
File namesvchost.exe

VBScript self-decrypted variant:

SHA1CD7904E6D59142F209BD248D21242E3740999A0D
File typeSelf-decrypting VBScript
File size51 KB
File namel2dIIYKCQw.vbs

Orchestrator:

SHA1FA50AC04D601BB7961CAE4ED23BE370C985723D6
File typePE32 executable (console) Intel 80386, for MS Windows
File size87 KB
File namewinloud.exe

Fingerprinting plugin:

SHA1c34545d89a0882bb16ea6837d7380f2c72be7209
File typePE32 executable (DLL) (GUI) Intel 80386, for MS Windows
File size194 KB
File nameGetClientInfo.dll

Keylogging plugin:

SHA1fb7f69834ca10fe31675bbedf9f858ec45c38239
File typePE32 executable (DLL) (GUI) Intel 80386, for MS Windows
File size90.5 KB
File nameKeylogger.dll

Screenshot plugin:

SHA12bb6d37dbba52d79b896352c37763d540038eb25
File typePE32 executable (DLL) (GUI) Intel 80386, for MS Windows
File size78 KB
File nameScreenShot.dll

IP Addresses:

hxxp://107.158.154[.]66/core/main.phphxxp://185.177.59[.]234/core/main.phphxxp://37.59.87[.]172/page/view.phphxxp://80.255.3[.]86/page/view.phphxxp://www.mwieurgbd114kjuvtg[.]com/core/main.php

File Hashes:

Milum version 1.6.10efd03fb65c3f92d9af87e4caf667f8e
PyInstaller with Guard92A11F0DCB973D1A58D45C995993D854 (svchost.exe)
Self-decrypting Tandis VBScript861655D8DCA82391530F9D406C31EEE1 (l2dIIYKCQw.vbs)
OrchestratorC116B3F75E12AD3555E762C7208F17B8 (winloud.exe)
PluginsF2F6604EB9100F58E21C449AC4CC4249 (ScreenShot.dll)D322FAA64F750380DE45F518CA77CA43 (Keylogger.dll)9F8D77ECE0FF897FDFD8B00042F51A41 (GetClientInfo.dll)

File paths

macOS .plist files$HOME/Library/LaunchAgents/com.apple.pyapple.plist $HOME/Library/LaunchAgents/apple.scriptzxy.plist
Config files under Windows%APPDATA%\Microsoft\grconf.dat%APPDATA%\Microsoft\vsdb.dat%ALLUSERSPROFILE%\system\thumbnail.dat%ALLUSERSPROFILE%\Application Data\system\Windows\thumbnail.dat
Config files under macOS$HOME/.appdata/grconf.dat
Registry valuesSoftware\Microsoft\Windows\CurrentVersion\RunOnce\gd_system
WQL queries examplesSELECT * FROM Win32_Process WHERE Name = ‘<all enumerated names here>’ Select * from Win32_ComputerSystemSelect * From AntiVirusProduct Select * From Win32_Process Where ParentProcessId = ‘<all enumerated ids here>’
Milum C2hxxp://107.158.154[.]66/core/main.phphxxp://185.177.59[.]234/core/main.phphxxp://37.59.87[.]172/page/view.phphxxp://80.255.3[.]86/page/view.phphxxp://www.mwieurgbd114kjuvtg[.]com/core/main.php

Recommendation To Be Protected From WildPressure APT Malware Campaign

  • Analyze Firewall and Internet proxy logs for the presence of mentioned IOCs.
  • Avoid handling files or URL links in emails, chats, or shared folders from untrusted sources.
  • Provide phishing awareness training to your employees/contractors.
  • Keep Anti-malware solutions at the endpoint and network-level updated at all times.
  • Deploy Endpoint Detection & Response (EDR) tools to detect the latest malware and suspicious activities on endpoints.

Thanks for reading the post. Read more such interesting articles If you find this post interesting.

About the author

Arun KL

To know more about me. Follow me on LinkedIn Hi All, I am Arun KL, an IT Security Professional. Founder of “thesecmaster.com”. Enthusiast, Security Blogger, Technical Writer, Editor, Author at TheSecMaster. To know more about me. Follow me on LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Learn Something New with Free Email subscription

Email is also one of the ways to be in touch with us. Our free subscription plan offers you to receive post updates straight to your inbox.