14 DAY TRIAL // WildPressure has added a new type of malware to its arsenal to carry out cyberattacks against organizations in the energy sector. The malware is distributed by threat actors via compromised WordPress websites, according to Threat Post.
Yesterday, Kaspersky cybersecurity researchers revealed new details about the updated version of the Milium Trojan. WildPressure has been working on the malware since March 2020 and used it in attacks against a variety of organizations in the Middle East.
According to Denis Legezo, a security researcher at Kaspersky, the new version of Milum can decode VBSCript Tandis Trojan, a multi-OS Guard Trojan and a PyInstaller developed to run on macOS.
The Milum Trojan has been updated to be capable of infiltrating Windows and macOS systems
Legezo added “This PyInstaller Windows executable was detected in our telemetry on September 1, 2020, showing version 2.2.1. It contains an archive with all the necessary libraries and a Python Trojan that works both on Windows and macOS. The original name of the script inside this PyInstaller bundle is ‘Guard’,”
The script includes the PyInstaller package (Guard) is specifically designed to search for macOS computers on which the Milum Trojan has already been used. “For macOS, Guard decodes an XML document and creates a PLIST file using its contents at $HOME/Library/LaunchAgents/com.apple.pyapple.plist to autorun itself; while for Windows, the script creates a RunOnce registry key Software\Microsoft\Windows\CurrentVersion\RunOnce\gd_system,” Legezo wrote.
The threat actor managed to exploit command-and-control (C2) domains a few months ago, most of them being websites running WordPress hosted on compromised servers. Based on the particularities on the code, it is not excluded that WildPressure works closely with other threat actors in the Middle East.