‘WildPressure’ Has No Ties to Other Groups or Malware, Kaspersky Says
The WildPressure APT has focused its attention on industrial targets in the Middle East.
A newly discovered advanced persistent threat group is targeting industrial firms in the Middle East with a new type of backdoor Trojan, according to the security firm Kaspersky.
The APT group, which Kaspersky calls “WildPressure,” appears to have links to a nation-state, although it’s not clear what government may be backing its activities, according to a new report from Kaspersky.
Kaspersky analysts started tracking WildPressure in August 2019, but the APT group apparently started its industrial espionage campaign last May, the report notes.
WildPressure uses a backdoor Trojan that the security firm calls “Milum.” Denis Legezo, a senior security researcher at Kaspersky, says that its code had not been previously spotted in the wild before August 2019.
“We haven’t observed any code similarities with known malware,” Legezo tells Information Security Media Group. “Also, our telemetry don’t show these files before August 2019.”
Once installed, Milum, written in the C++ programming language, connects to a command-and-control server to receive instructions and transmit data back to the APT group, according to Kaspersky. Analysts aren’t sure how the backdoor is delivered to targets or how the attack begins, the report notes.
Once installed, Milum is capable of silently executing received commands; encoding and sending files; getting file attributes; deleting itself; receiving the latest version of the malware and removing the older one; and validating the Windows architecture, Legezo says. Milum is designed to steal and exfilitate data, and it maintains a silent presence within the infrastructure, Legezo notes.
“Typically such attackers want to steal data over time and be persistent in systems,” Legezo says.
A closer look at Milum finds that in one of the fields within the HTTP Post request, the operators labeled the malware as version 1.0.1, indicating that the backdoor is still in the earliest stages of its development, according to the Kaspersky report. “Other fields suggest the existence of, at the very least, plans for non-C++ versions,” the report notes.
Target: Middle East
In September 2019, the Kaspersky team managed to sinkhole one of the command-and-control servers connected to Milum that WildPressure uses. The researchers found that the majority of the target IPs were from the Middle East and had connections to industrial facilities.
While the Kaspersky report indicates that WildPressure’s activities are limited to industrial spying and maintaining a presence within targets’ infrastructure, the group’s activities are worth watching because there are no known connections to other nation-state sponsored actors.
“We should also be cautious regarding the true targeting of this new set of activities, as it is probably too soon to jump to conclusions. The targeted nature seems to be clear, but the targeting itself might be limited by our own visibility,” the Kaspersky report notes.
Activities in the Region
Over the last several months, APT groups have been stepping up their activities in the Middle East.
In December 2019, for instance, IBM X-Force researchers discovered a new malware campaign suspected of being tied to Iran that targeted companies in the energy and industrial sectors in the Middle East (see: Wiper Malware Targets Middle Eastern Energy Firms: Report).