Researchers have unearthed an attack campaign that uses previously unseen malware to target Middle Eastern organizations, some of which are in the industrial sector.
Researchers with Kaspersky Lab, the security firm that discovered the campaign, have dubbed it WildPressure. It uses a family of malware that has no similarities to any malicious code seen in previous attacks. It’s also targeting organizations that don’t overlap with other known campaigns.
Milum, as the malware is dubbed, is written in C++ and contains clues that suggest developers may be working on versions written in other programming languages. While Milum uses configuration data and communication mechanisms that are common among malware developers, the researchers believe that both the malware and the targets are unique.
Attention getting
“A campaign that is, apparently, exclusively targeting entities in the Middle East (at least some of them are industrial-related) is something that automatically attracts the attention of any analyst,” Kaspersky researcher Denis Legezo wrote in a post published on Tuesday. “Any similarities should be considered weak in terms of attribution and may simply be techniques copied from previous well-known cases. Indeed, this ‘learning from more experienced attackers’ cycle has been adopted by some interesting new actors in recent years.”
Milum samples show a compilation date of March 2019, a time frame that’s consistent with the first known infection on May 31, 2019. Kaspersky first spotted Milum last August.
The malware uses the RC4 encryption cipher with a different 64-bit key for each target. It also uses the JSON format for configuration data and to communicate with control servers through HTTP POSTs. Fields inside the JSON data correspond to the C++ language and the .exe file extension. That clue led researchers to hypothesize that malware versions based on other languages are in the works or possibly already exist. To date, the researchers have collected three almost identical samples, all from the same undisclosed country.
The malicious application exists as an invisible toolbar window. The malware implements functions in a separate threat. Researchers were unable to access commands from control servers, but by analyzing command handlers in the malware, the researchers were able to piece together the following:
| Code | Meaning | Features |
| 1 | Execution | Silently execute received interpreter command and return result through pipe |
| 2 | Server to client | Decode received content in “data” JSON field and drop to file mentioned in “path” field |
| 3 | Client to server | Encode file mentioned in received command “path” field to send it |
| 4 | File info | Get file attributes: hidden, read only, archive, system or executable |
| 5 | Cleanup | Generate and run batch script to delete itself |
| 6 | Command result | Get command execution status |
| 7 | System information | Validate target with Windows version, architecture (32- or 64-bit), host and user name, installed security products (with WQL request “Select From AntiVirusProduct WHERE displayName “Windows Defender”) |
| 8 | Directory list | Get info about files in directory: hidden, read only, archive, system or executable |
| 9 | Update | Get the new version and remove the old one |
When researchers took control of one of the campaign’s control servers, they observed mostly computers located in the Middle East connecting. (The researchers believe that the IP addresses not located in the Middle East belonged to network scanners, Tor Exit nodes, and VPN connections.) Some of those the Middle Eastern IP addresses belonged to organizations occupying the industrial sectors. Milum gets its name from a string found in one of the executable file names, as well as C++ class names inside the malware.
Kaspersky Lab
The above screenshot of a Kaspersky computer connecting to the sinkholed control server showed only devices based in Iran connecting. Tuesday’s post didn’t identify the countries of other infected organizations.
Over the past decade, the Middle East has emerged as a hotspot for hacking operations, with (to name only four) an attack targeting safety controls in critical infrastructure facilities, a reportedly US operation that hobbled Iran’s ability to target oil tankers, a destructive disk-wiping campaign against a Saudi Arabian gas company, and the Stuxnet and Flame malware that targeted Iran. The discovery of WildPressure and Milum suggest attacks in the region aren’t likely to die down anytime soon.
