New versions of Milum, a malicious Trojan, have been discovered by Kaspersky. The Trojan is used by WildPressure, an advanced persistent threat (APT) actor, that has been active in the Middle East since August 2019.
Wile investigating one of the latest attacks by the actor on what seems to be the industrial sector, Kaspersky researchers discovered newer versions of the malware written in different programming languages. One version is able to infect and run on both Windows and macOS systems.
According to the security giant, during threat hunting, many discoveries unravel from a small clue, and this campaign is no exception.
“Often, once a device is infected by a Trojan, the malware sends a beacon to the attackers’ servers, which contains information about the device, network settings, user name and other relevant information.”
The company says this helps malefactors determine whether an infected device is of any use. However, in Milum’s case, it also sent information about the programming language in which it was written.
When first investigating the campaign last year, researchers suspected that this pointed to the existence of different versions of this Trojan in different languages, a theory that has now been confirmed.
In the European Spring 2021, Kaspersky identified a new attack by WildPressure, which was carried out with a set of newer versions of the Milum malware.
The files discovered contained the Milum Trojan written in C++ and a corresponding Visual Basic Script (VBScript) variant. Further investigation into this attack uncovered another version of the malware written in Python, which was developed for both Windows and macOS operating systems.
All three versions had the ability to download and execute commands from the operator, collect information, and upgrade themselves to a newer version.
Multi-platform malware capable of infecting devices that run on macOS is highly unusual, the researchers say. This particular specimen was delivered in a package, which included the malware, Python library and a script named ‘Guard’.
This enabled the malware to launch both on Windows and macOS with little additional effort. Once infecting the device, the malware runs operating system-dependent code for persistence and data gathering. On Windows, the script is bundled into an executable with a PyInstaller. The Python Trojan is also capable of checking whether security solutions are being run on a device.
Denis Legezo, senior security researcher at GReAT, Kaspersky, says the operators behind the Trojan are focusing on a specific geographical area.
“The reason behind the development of similar malware in multiple languages is most probably to decrease the likelihood of detection. This strategy is not unique among APT actors, but we rarely see malware that is adapted to run on two systems at once, even in the form of a Python script. Another curious feature is that one of the targeted operating systems is macOS, which is a surprising target given the geographical interest of the actor,” he ends.
Share