08 July 21, 16:04
Quote:Threat actors known as WildPressure have added a macOS malware variant to their latest campaign targeting energy sector businesses, while enlisting compromised WordPress websites to carry out attacks.
Novel malware, initially identified in March 2020 and dubbed Milum, has now been retooled with a PyInstaller bundle containing a trojan dropper compatible with Windows and macOS systems, according to researchers. Compromised endpoints allow the advanced persistent threat (APT) group to download and upload files and executing commands.
On Wednesday, Kaspersky published its latest findings tied to the APT and malware, which it first discovered and reported on in March 2020. At that time, researchers noted WildPressure targeted Middle East organizations with a C++ version of a trojan it called Milum.
The latest sample of Milum reveals the addition of a self-decrypting VBScript Tandis trojan, a macOS-compatible PyInstaller and a multi-OS Guard trojan, according to Denis Legezo, senior security researcher at Kaspersky, in a Wednesday post.
A PyInstaller bundles a macOS compatible Python application “and all its dependencies into a single package,” according to a technical description.
“This PyInstaller Windows executable was detected in our telemetry on September 1, 2020, showing version 2.2.1. It contains an archive with all the necessary libraries and a Python Trojan that works both on Windows and macOS. The original name of the script inside this PyInstaller bundle is ‘Guard’,” Legezo wrote.
According to Kaspersky, which sinkholed new WildPressure command-and-control (C2) domains in spring 2021, the threat actor used both virtual private servers (VPS) and compromised servers in their infrastructure, most of which were WordPress websites.
Read more: MacOS Targeted in WildPressure APT Malware Campaign | Threatpost