A campaign that has been targeting industrial entities in the Middle East since 2019 has resurfaced with a new arenal targeting both Windows and macOS.
Russia-based cybersecurity company Kaspersky Lab attributed the attacks to WildPressure, an advanced persistent threat group that is known to focus on victims in the oil and gas industry.
The first known attack by WildPressure was detected in March 2020. It involved a C++ Trojan dubbed “Milum” that gave its opertor remote control of a device.
“For their campaign infrastructure, the operators used rented OVH and Netzbetrieb virtual private servers (VPS) and a domain registered with the Domains by Proxy anonymization service,” Kaspersky researcher Denis Legezo wrote at the time.
New malware samples have been discovered in WildPressure campaigns since then. These include a newer version of the C++ Milum Trojan, a VBScript variant with the same version number, and a Python script Guard.
Guard is a multi-OS Trojan designed to automatically detect anti-virus software on a remote server. It sends the victim machine’s hostname, operating system release name, and other details to a remote server. Then it received commands to download and upload arbitrary files. It also executes various commands to update the Trojan and wipe its traces.
The VBScript variant is Tandis malware is a variant of the Guard and Milum. It has the same capabilities as those of the aforementioned programs, but can execute encrypted XML over HTTP.
According to Kaspersky, attackers use a number of unknown C++ plugins that can collect data on infected systems by recording keystrokes and taking screenshots.
Besides relying on commercial VPS, this campaign also used infiltrated WordPress websites and deployed them as Guard relay servers.
There’s no clear visibility regarding the nature of the malware spreading mechanism or the similarities with other known actors.
The researchers said they did find similar techniques with BlackShadow APT that operates in the same region.
The “tactics aren’t unique enough to come to any attribution conclusion – it’s possible both groups are simply using the same generic techniques and programming approaches,” Legezo said.