image
A malware campaign that shares no known similarities to previous attacks has been uncovered, targeting organizations in the Middle East. Dubbed “WildPressure,” the campaign used a previously unknown malware that researchers named Milum, after the C++ class names inside the code. According to researchers at Kaspersky, which sinkholed one of the WildPressure command-and-control (C2) domains in September, the vast majority of visitor IPs to the operators’ malicious infrastructure were from the Middle East, with the rest being made up of scanners, TOR exit nodes or VPN connections. Among the victims are some industrial targets, the firm found. The malware carries out basic system reconnaissance, including inventorying the types of files housed on infected machines, according to the research. And, it can fetch updates from its C2, which could include additional, second-stage functionality. Simple and Direct The approach used to build the trojan is very straightforward, according to Denis Legezo, security researcher with Kaspersky, writing in a post on Tuesday. For instance, all of the Milum samples are standalone executable files, the researcher discovered. Further, the code’s built-in configuration data includes hardcoded C2 URLs and encryption/decryption keys for communication. Once installed, the malware will create a directory called “ProgramDataMicappWindows,” and parse this configuration data in order to form a beacon to send to its C2. To send the beacon, Milum…

Source