WildPressure Campaign Goes On With One More Hit: Mac Malware Version Targets Mac OS Systems
Mac OS Systems Are Targeted by an Upgrade of Milum, the Trojan that Gained Popularity In the Middle East Oil & Gas Industry in 2019.
WildPressure APT Group is a malicious threat actor that started its campaign in August 2019 in the Middle East. Back then, they used Milum, a Trojan with distinct characteristics. It targeted Middle East enterprises and was written in C++. Now the threat was upgraded and comes in its Mac malware version that carries on the Milum mission by affecting Mac OS Systems, a new Kaspersky report announces.
What’s New in the WildPressure Campaign That Includes Mac Malware?
Newer versions of Milum have been tracked, the last one targets Mac OS. Researchers have observed some changes that added to the old C++-based malware repetition version.
In the spring of 2021, the second version was discovered, a VBScript (Visual Basic Script) built on the same variant pattern but packed with new features such as three plugins and an orchestrator.
The third version is wreaking havoc at the present, written this time in Python and affecting Mac OS Systems and Windows systems.
Securityweek mentions that the resemblance of the three versions of the trojan lies in their design, the C&C (Command and Control) protocol, and the coding style.
How Was This Possible?
It is known that multi-platform malware infection on Mac OS supporting devices is rather not that usual. The threat actors used a script named Guard and a Python Library that came alongside the malware in a package. This way, the new version could be deployed on both MAC OS and Windows very easily.
How Does This Phyton-Based Mac Malware Work? A Closer Look
The Mac Malware comes with some features:
- It makes use of a third-party code.
- Threat actors execute the code and are able to collect information related to the system.
- Examples of such data could be hostname, architecture, and the OS release name of the machine.
- A remote server is then ready to receive the above-mentioned data.
- The code also checks for antiviruses by enumerating running processes.
- The C2 server will then send a command to the code.
- The goal lies in: arbitrary documents uploading and downloading, Trojan updates, script file removal from the host and commands execution.
To date, there’s neither clear visibility regarding the malware spreading mechanism nor any strong code- or victim-based similarities with other known threat actors. However, the researchers said they spotted minor ties in the techniques used by another adversary called BlackShadow.