WildPressure APT Malware Campaign Targets Windows And MacOS

Researchers have observed a new WildPressure APT malware campaign by threat actors aka WildPressure distributing C++ Trojan dubbed as “Milum”, a VBScript variant with the version (1.6.1) and a set of modules that include an Orchestrator, Fingerprint, Keylogging, & Screenshot plugins. And a Python script dubbed “Guard” enables the threat actor to gain remote control of the compromised system. Python version of this malware is designed and developed to target both Windows as well as macOS operating systems.

Look at the Version system. It has been said that the malware is still under active development. This time WildPressure APT malware campaign has started using compromised WordPress websites along with commercial VPS (Virtual Private Servers) to carry out the campaign.

The analysis found that the Python malware is developed based on publicly available third-party codes. On top of that, the malware uses standard Python libraries for fingerprinting both Windows and macOS operating systems.

Both the malware are capable of doing silently execute the command, file downloads, update scripts, cleaning and remove the scripts after execution, file uploads, OS fingerprinting, and the malware can also gather applications installed on the host.

Targets Of WildPressure APT Malware Campaign:

The primary targets of this campaign are mostly oil and gas industries from middle east Asian countries. There are no insights available on other targets in the research.

Indicators Of Compromise (IOCs) To Detect WildPressure APT Malware:

Python multi-OS Trojan:

SHA1 72FC1D91E078F0A274CA604785117BEB261B870
File type PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
File size 3.3 MB
File name svchost.exe

VBScript self-decrypted variant:

SHA1 CD7904E6D59142F209BD248D21242E3740999A0D
File type Self-decrypting VBScript
File size 51 KB
File name l2dIIYKCQw.vbs

Orchestrator:

SHA1 FA50AC04D601BB7961CAE4ED23BE370C985723D6
File type PE32 executable (console) Intel 80386, for MS Windows
File size 87 KB
File name winloud.exe

Fingerprinting plugin:

SHA1 c34545d89a0882bb16ea6837d7380f2c72be7209
File type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
File size 194 KB
File name GetClientInfo.dll

Keylogging plugin:

SHA1 fb7f69834ca10fe31675bbedf9f858ec45c38239
File type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
File size 90.5 KB
File name Keylogger.dll

Screenshot plugin:

SHA1 2bb6d37dbba52d79b896352c37763d540038eb25
File type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
File size 78 KB
File name ScreenShot.dll

IP Addresses:

hxxp://107.158.154[.]66/core/main.phphxxp://185.177.59[.]234/core/main.phphxxp://37.59.87[.]172/page/view.phphxxp://80.255.3[.]86/page/view.phphxxp://www.mwieurgbd114kjuvtg[.]com/core/main.php

File Hashes:

Milum version 1.6.10efd03fb65c3f92d9af87e4caf667f8e
PyInstaller with Guard92A11F0DCB973D1A58D45C995993D854 (svchost.exe)
Self-decrypting Tandis VBScript861655D8DCA82391530F9D406C31EEE1 (l2dIIYKCQw.vbs)
OrchestratorC116B3F75E12AD3555E762C7208F17B8 (winloud.exe)
PluginsF2F6604EB9100F58E21C449AC4CC4249 (ScreenShot.dll)D322FAA64F750380DE45F518CA77CA43 (Keylogger.dll)9F8D77ECE0FF897FDFD8B00042F51A41 (GetClientInfo.dll)

File paths

macOS .plist files$HOME/Library/LaunchAgents/com.apple.pyapple.plist $HOME/Library/LaunchAgents/apple.scriptzxy.plist
Config files under Windows%APPDATA%/Microsoft/grconf.dat%APPDATA%/Microsoft/vsdb.dat%ALLUSERSPROFILE%/system/thumbnail.dat%ALLUSERSPROFILE%/Application Data/system/Windows/thumbnail.dat
Config files under macOS$HOME/.appdata/grconf.dat
Registry valuesSoftware/Microsoft/Windows/CurrentVersion/RunOnce/gd_system
WQL queries examplesSELECT * FROM Win32_Process WHERE Name = ‘<all enumerated names here>’ Select * from Win32_ComputerSystemSelect * From AntiVirusProduct Select * From Win32_Process Where ParentProcessId = ‘<all enumerated ids here>’
Milum C2hxxp://107.158.154[.]66/core/main.phphxxp://185.177.59[.]234/core/main.phphxxp://37.59.87[.]172/page/view.phphxxp://80.255.3[.]86/page/view.phphxxp://www.mwieurgbd114kjuvtg[.]com/core/main.php

Recommendation To Be Protected From WildPressure APT Malware Campaign

  • Analyze Firewall and Internet proxy logs for the presence of mentioned IOCs.
  • Avoid handling files or URL links in emails, chats, or shared folders from untrusted sources.
  • Provide phishing awareness training to your employees/contractors.
  • Keep Anti-malware solutions at the endpoint and network-level updated at all times.
  • Deploy Endpoint Detection & Response (EDR) tools to detect the latest malware and suspicious activities on endpoints.

Thanks for reading the post. Read more such interesting articles If you find this post interesting.

原创文章,作者:ItWorker,如若转载,请注明出处:https://blog.ytso.com/270000.html

(0)
上一篇 2022年6月24日
下一篇 2022年6月24日

相关推荐

发表回复

登录后才能评论