Home / Hacking / Unknown Hackers Use New Milum RAT in WildPressure Campaign – BleepingComputer

Unknown Hackers Use New Milum RAT in WildPressure Campaign – BleepingComputer

Malware that shows no similarities with samples used in known campaigns is currently used to attack computers in various organizations. Researchers named the new threat Milum and dubbed the operation WildPressure.

Several samples of Milum were discovered in the wild at the end of last summer, with the first ones believed to have been created in March, 2019.

Unknown threat actor

The first attacks using Milum were spotted last year in August but security Kaspersky’s GReAT (Global Research & Analysis Team) researchers believe that it made victims since at least the end of May, 2019.

Looking at the malware code (C++), the researchers could not find clues that could help them attribute Milum to a certain adversary, not even with low confidence.

“Their C++ code is quite common,” writes Denis Legezo, Kaspersky senior security researcher, in a technical analysis published today. Even the configuration data and the way it is parsed (Standard Template Library) are common, hence insufficient for attribution.

Checking the list of known victims was not helpful either. Based on Kaspersky telemetry, Milum “was exclusively used to attack targets in the Middle East,” some of them being in the industrial sector.

In September 2019, the researchers were able to sinkhole one of the command and control (C2) domains (upiserversys1212[.]com) used for the WildPressure campaign and noticed that most of the connecting IP addresses were from the Middle East (Iran), while others were likely network scanners, TOR exit nodes, or VPN‌ connections.

active Milum infections, source: Kaspersky

Milum is a new RAT

The malware is a full-developed trojan with “solid capabilities for remote device management” of a compromised host. Its functionality includes the following:

Code Meaning Features
1 Execution

Silently execute received interpreter command and return result through pipe


Server to client

Decode received content in “data” JSON field and drop to file mentioned in “path” field


Client to server

Encode file mentioned in received command “path” field to send it


File info

Get file attributes: hidden, read only, archive, system or executable

5 Cleanup

Generate and run batch script to delete itself


Command result

Get command execution status


System information

Validate target with Windows version, architecture (32- or 64-bit), host and user name, installed security products (with WQL request “Select From AntiVirusProduct WHERE displayName ‘Windows Defender’”)


Directory list

Get info about files in directory: hidden, read only, archive, system or executable

9 Update

Get the new version and remove the old one

Three samples analyzed by Kaspersky, all of them almost identical, showed a compilation timestamp in March. While this information can be spoofed, the researchers have other reasons to believe that Milum is new threat.

One is that they did not record infections with this malware until March 31. Another is a field found in the HTTP POST requests when communicating with the C2 that indicates the malware version 1.0.1.

“A version number like this indicates an early stage of development. Other fields suggest the existence of, at the very least, plans for non-C++ versions.”

Whoever is behind WildPressure seems to identify their targets with code (clientID) unfamiliar to the researchers: “839ttttttt,” “HatLandid3,” and “HatLandid30.” Analyzed Milum samples had different clientIDs, indicating targeted attacks.

Milum configuration data, source: Kaspersky

Legezo told BleepingComputer over email that there are no visible hints that WildPressure attackers plan to do more than collecting information from targeted networks. He warns that this can change in time because the campaign is ongoing and could develop into a different type of attack.

“Analysts must pay attention because the consequences of an attack against an industrial target can be devastating,” says.

Source link


Check Also

Virtual VTA board meeting hacked by ‘Zoom bombers’ – The Daily Post

While the VTA board was meeting via Zoom, hackers posted a swastika and pornographic images …