Threat actors known as WildPressure have added a macOS malware variant to their latest campaign targeting energy sector businesses, while enlisting compromised WordPress websites to carry out attacks.
Novel malware, initially identified in March 2020 and dubbed Milum, has now been retooled with a PyInstaller bundle containing a trojan dropper compatible with Windows and macOS systems, according to researchers. Compromised endpoints allow the advanced persistent threat (APT) group to download and upload files and executing commands.
On Wednesday, Kaspersky published its latest findings tied to the APT and malware, which it first discovered and reported on in March 2020. At that time, researchers noted WildPressure targeted Middle East organizations with a C++ version of a trojan it called Milum.
The latest sample of Milum reveals the addition of a self-decrypting VBScript Tandis trojan, a macOS-compatible PyInstaller and a multi-OS Guard trojan, according to Denis Legezo, senior security researcher at Kaspersky, in a Wednesday post.
A PyInstaller bundles a macOS compatible Python application “and all its dependencies into a single package,” according to a technical description.
“This PyInstaller Windows executable was detected in our telemetry on September 1, 2020, showing version 2.2.1. It contains an archive with all the necessary libraries and a Python Trojan that works both on Windows and macOS. The original name of the script inside this PyInstaller bundle is ‘Guard’,” Legezo wrote.
According to Kaspersky, which sinkholed new WildPressure command-and-control (C2) domains in spring 2021, the threat actor used both virtual private servers (VPS) and compromised servers in their infrastructure, most of which were WordPress websites.
Clues to the malware’s macOS compatibility include a script inside the PyInstaller bundle (Guard) that checks macOS systems for other instances of the Milum trojan.
Researchers note the code used inside Guard for encryptions and network communications is OS independent, but host persistence methods are not.
“For macOS, Guard decodes an XML document and creates a PLIST file using its contents at $HOME/Library/LaunchAgents/com.apple.pyapple.plist to autorun itself; while for Windows, the script creates a RunOnce registry key Software\Microsoft\Windows\CurrentVersion\RunOnce\gd_system,” Legezo wrote.
Property List files, or PLIST files, are settings files. They are used by macOS applications and contains properties and configuration settings and have been abused in the past by threat actors.
In a video walkthrough of Kaspersky’s research, Legezo said he believed with “high confidence” that the Tandis VBScript, PyInstaller and C++ samples are all tied to the WildPressure APT “due to the very similar coding style and victim profile.” The code doesn’t rule out that WildPressure may be closely connected to other threat actors operating in the Middle East.
“Among other actors that we’ve covered in the region Chafer and Ferocious Kitten are worth mentioning. Technically, there’s not much in common with their malware, but we observed some minor similarities with another actor in the region we haven’t described publicly so far,” he said.
Check out our free upcoming live and on-demand webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community.