A newly detected advanced persistent threat (APT) operation called “WildPressure” targeted industrial organizations and other entities in the Middle East.

Researchers at Kaspersky Lab observed WildPressue distributing samples of a fully operation trojan written in C++ called “Milum.” With timestamps dating back to March 2019, these samples didn’t share code or targets with any known campaigns. On the contrary, the Russian security firm detected three unique samples in a single country.

At the time of analysis, WildPressure had distributed Milum to organizations based in the Middle East. At least some of those were related to their respective countries’ industrial sectors.

Kaspersky Lab took a close look at Milum and observed that it used a base64-encoded JSON beacon to communicate with its command-and-control (C&C) server. In decoding the beacon, security researchers observed that the data included “1.0.1” as the malware version. This observation suggested that Milum was still in the early stages of its development at the time of discovery.

A decoded and beautified JSON beacon from Milum to its C&C. (Source: Kaspersky Lab)

But as seen in the image shared above, researchers also found something else hidden in the beacon data. As quoted by Kaspersky Lab:

There are several fields worth mentioning here. We referred above to different programming languages besides C++: “vt” seems to reference a programming language and “ext” a file extension. The only reason that we could think of for keeping these is if the attackers have several Trojans, written in different languages, to work with the same control server.

Via this communication with its C&C server, Milum gave its handlers the ability to remotely control the infected device. It also specifically enabled them to access the file system, execute commands, collect information, exfiltrate this data to its C&C server and wipe any traces (Read more...)