Skip to main content
07 July 2021

WildPressure’s multi-platform malware hits macOS in the Middle East

Kaspersky has been tracking Milum—a malicious Trojan used by WildPressure, an advanced persistent threat (APT) actor active in the Middle East—since August 2019.

Kaspersky has been tracking Milum—a malicious Trojan used by WildPressure, an advanced persistent threat (APT) actor active in the Middle East—since August 2019. While investigating one of the latest attacks by the actor on what seems to be the industrial sector, Kaspersky researchers discovered newer versions of the malware written in different programming languages. One of the versions is able to infect and run on both Windows and macOS systems.

In threat hunting, many discoveries unravel from a small clue, and this campaign is no exception. Often, once a device is infected by a Trojan, the malware sends a beacon to the attackers’ servers, which contains information about the device, network settings, user name and other relevant information. This helps the attackers determine whether an infected device is of any interest. However, in the case of Milum, it also sent information about the programming language in which it was written. When first investigating the campaign in 2020, Kaspersky researchers suspected that this pointed to the existence of different versions of this Trojan in different languages. Now this theory has been confirmed.

In spring 2021, Kaspersky identified a new attack by WildPressure, which was carried out with a set of newer versions of the Milum malware. The files discovered contained the Milum Trojan written in C++ and a corresponding Visual Basic Script (VBScript) variant. Further investigation into this attack uncovered another version of the malware written in Python, which was developed for both Windows and macOS operating systems. All three versions of the Trojan were able to download and execute commands from the operator, collect information, and upgrade themselves to a newer version.

Multi-platform malware capable of infecting devices that run on macOS is rare. This particular specimen was delivered in a package, which included the malware, Python library and a script named ‘Guard’. This enabled the malware to launch both on Windows and macOS with little additional efforts. Once infecting the device, the malware runs operating system-dependent code for persistence and data gathering. On Windows, the script is bundled into an executable with a PyInstaller. The Python Trojan is also capable of checking whether security solutions are being run on a device.

“WildPressure operators retain their interest in the same geographical area. Malware authors developed multiple versions of similar Trojans, and they have a versioning system for them. The reason behind the development of similar malware in multiple languages is most probably to decrease the likelihood of detection. This strategy is not unique among APT actors, but we rarely see malware that is adapted to run on two systems at once, even in the form of a Python script. Another curious feature is that one of the targeted operating systems is macOS, which is a surprising target given the geographical interest of the actor”, comments Denis Legezo, senior security researcher at GReAT, Kaspersky.

Read more about the new WildPressure samples on Securelist.

Watch a workshop on how to reverse-engineer WildPressure samples in a video by Denis Legezo here.

To avoid becoming a victim of a targeted attack, Kaspersky experts recommend:

  • Don’t consider a less common operating system as shield from threats; it’s not. Using a reliable security solution is a must, regardless of the system and devices you rely on.
  • Make sure you update all software used in your organization on a regular basis, particularly whenever a new security patch is released. Security products with Vulnerability Assessment and Patch Management capabilities may help to automate these processes.
  • Choose a proven security solution, such as Kaspersky Endpoint Security, that is equipped with behavior-based detection capabilities for effective protection against known and unknown threats, including exploits.
  • In addition to adopting essential endpoint protection, implement a corporate-grade security solution that detects advanced threats on the network level at an early stage, such as Kaspersky Anti Targeted Attack Platform.
  • Ensure your staff understands basic cybersecurity hygiene training, as many targeted attacks start with phishing or other social engineering techniques.
  • Make sure your security team has access to the most recent cyber threat intelligence.  Private reports on the latest developments in the threat landscape are available to customers of Kaspersky APT Intelligence Reporting.
  • Upskill your SOC team to tackle the latest targeted threats with a Kaspersky reverse engineering online training developed by GReAT experts.

About Kaspersky

Kaspersky is a global cybersecurity and digital privacy company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help 240,000 corporate clients protect what matters most to them. Learn more at www.kaspersky.com.

WildPressure’s multi-platform malware hits macOS in the Middle East

Kaspersky has been tracking Milum—a malicious Trojan used by WildPressure, an advanced persistent threat (APT) actor active in the Middle East—since August 2019.
Kaspersky Logo

Related Articles Press Releases

  • Hidden parasite: Kaspersky uncovers credential-stealing Microsoft Exchange add-on

    Kaspersky has uncovered a previously unknown IIS module (a piece of software aimed at providing additional features to Microsoft web servers) they have since dubbed Owowa that steals credentials entered by a user when logging into Outlook Web Access (OWA); it also allows the attackers to gain remote control access to the underlying server. Compiled sometime between late 2020 and April 2021, this module is a stealthy theft method that is difficult to detect with network monitoring. It’s also resistant to software updates from Exchange, meaning it can stay hidden on a device for a long time.
    Read More >

  • In 2021 almost half of investigated security incidents were connected to ransomware

    Incident response (IR) is when companies call in a team in the aftermath of a breach to limit the damage and prevent an attack from spreading. At Kaspersky, IR is handled by the Global Response Emergency Team (GERT) and is reserved for mid-size to large organizations. From January to November 2021, nearly every second security incident handled by GERT was connected to ransomware (nearly 50% of all IR requests)—an increase of nearly 12 percentage points when compared to 2020. This is among the most important findings from Kaspersky’s Story of the Year: Ransomware in the Headlines. Part of Kaspersky’s annual Security Bulletin series, which examines critical security trends over the past year, 2021’s Story of the Year takes an in-depth look at the current ransomware landscape and what to expect in 2022.
    Read More >

  • DDoS attacks in Q3 grow by 24%, become more sophisticated

    When compared to Q3 2020, the total number of Distributed Denial of Service (DDoS) attacks increased by nearly 24%, while the total number of smart attacks (advanced DDoS attacks that are often targeted) increased by 31% when compared to the same period last year. Some of the most notable targets were tools to fight the pandemic, government organizations, game developers, and well-known cybersecurity publications.
    Read More >