New findings

Our previous story considering WildPressure was dedicated to their campaign against industrial-related targets in the Middle East. By keeping track of their malware in spring 2021, we were able to find a most current version. It contains the C ++ Milum Trojan, a corresponding VBScript variant with the same version( 1.6.1) and a situated of modules that include an orchestrator and three plugins. This substantiates our previous assumption that there are more last-stagers besides the C ++ ones, based a field in the C2 communication protocol that contains the “client” programming language.

Another language used by WildPressure is Python. The PyInstaller module for Windows contains a script named “Guard”. Perhaps the most interesting finding here is that this malware was developed for both Windows and macOS operating systems. The coding style, overall design and C2 communication protocol is quite recognizable across all three programming language used by the authors.

The versioning system are demonstrating that the malware used by WildPressure is still under active developing. Besides commercial VPS, this time the operators used compromised legitimate WordPress websites. With low confidence this time, we believe their targets to be in the oil and gas industry. If previously the operators use readable “clientids” like “HatLandid3”, the new ones we observed in the Milum samples appear to be randomized like “5CU5EQLOSI” and “C29QoCli33jjxtb”.

Although we couldn’t associate WildPressure’s activity with other threat performers, we did find minor similarities in the TTPs used by BlackShadow, which is also active in the same region. However, we consider that these similarities serve as minor ties and are not enough to making such a attribution.

Python multi-OS Trojan

SHA1 72FC1D91E078F0A274CA604785117BEB261B870 File character PE32 executable( GUI) Intel 80386( stripped to external PDB ), for MS Windows

File size 3.3 MB

File epithet svchost.exe

This PyInstaller Windows executable was detected in our telemetry on September 1, 2020, presentation version 2.2.1. It contains an archive with all the necessary libraries and a Python Trojan that works both on Windows and macOS. The original name of the script inside this PyInstaller bundle is “Guard”. The malware authors extensively relied on publicly available third-party code[ 1 ] to create it. Near the enter degree one can find the first operating system-dependent code, which checks on macOS if another instance of the Trojan is running.

macOS-specific code snippet to check if another Trojan instance is already running

The Guard class constructor contains initial values, such as an XOR key( enc_key field) to decrypt the configuration. In this sample, it is set to decimal 110 and the C2 message type( answer_type_value field) to “Check”. The code that initializes class members for encryption and network communications is OS independent, but perseverance techniques aren’t.

For macOS, Guard decodes an XML document and makes a plist file using the content of the report at$ HOME/ Library/ LaunchAgents/ to autorun itself; while for Windows, the script makes a RunOnce registry key Software \ Microsoft \ Windows \ CurrentVersion \ RunOnce \ gd_system. We furnish the full list of persistence IoCs at the end of this article.

Malware decodes the XML, fills[ pyscript] placeholder with its path and drops. plist file for persistence

For fingerprinting Windows and macOS operating systems, Guard employs standard Python libraries. Beacon data for the C2 contains the hostname, machine architecture, OS release name. To fingerprint Windows targets, Guard likewise applies WQL( WMI Query Language) requests similarly to Milum and WMIC command line utility features. For instance, to distinguish the installed security products it executes the following command 😛 TAGENDcmd/ c wmic/ NAMESPACE :\ \\\ root \ SecurityCenter2 PATH AntiVirusProduct GET displayName, productUptoDate/ Format: List

On macOS, Guard itemizes operating processes applying the” ls/ Applications” command and compares the research results against a list of security answers: [” kaspersky “,” kaspersky anti-virus for”, “intego”, ” sophos”, “”,” mcafee internet “]

The path to the file containing Guard’s configuration data is% APPDATA %\ Microsoft \ grconf.dat under Windows and$ HOME \. appdata \ grconf.dat under macOS.

Guard’s configuration data has to start with the string “* grds *”. Below is a comparison between different WildPressure sample parameters, including magical values used to pre- and post-fix the configuration data.

Parameter C++ Milum Python Guard VBScript Tandis

Version 1.0.1- 1.6.1 2.2.1 1.6.1

Serial Comparable to “clientid” with values like “HatLandid3” 1—–C29QoCli—————- 1—–Tandis_7—————-

Relays List of. php pages hosted on VPS List of hacked WordPress websites List of hacked WordPress websites

Encoded configuration start \ objective (ws32)( we32) *grds** grde* Configuration embedded inside the script

These prefix and suffix values allowed us to decode Mulim and Guard configuration data as well as the self-decrypted Tandis with Bash and Python scripts. Following configuration parsing, the Trojan is ready for its main working cycle. It awaits commands from its C2 that are XML-based and XOR-encrypted with the aforementioned decimal value 110. Among them are typical Trojan roles: downloading files, uploading files, executing commands with the OS command interpreter, updating the Trojan and cleaning up the target.

VBScript self-decrypted variant

SHA1 CD7904E6D59142F209BD248D21242E3740999A0D File kind Self-decrypting VBScript

File sizing 51 KB

File epithet l2dIIYKCQw.vbs

We named the Tandis Trojan after its “serial” configuration parameter. This VBScript Trojan version is Windows-only and relies much more on WQL queries than Guard. It was first detected in our telemetry on September 1, 2020, demonstrate version 1.6.1. The abilities, parameters and operating cycle are quite similar to Guard and other WildPressure malware.

The persistence is again system registry-based( please check the IoCs at the end ). The role HexToBin() is in charge of the additional encryption used inside the script for some strings and C2 communication. The basic unhexlify-XOR algorithm is the same as in the initial self-decryption; and to read plain text we utilized the same aforementioned script with matching key( again 110 decimal, stored in a class data member ). The C2 communication protocol is” encrypted XML over HTTP”( applying Msxml2. XMLHTTP and Msxml2. DOMDocument objects ).

Below are the commands that Tandis supports 😛 TAGEND

Command Description 1 Wait 2 Silently execute command with interpreter with cmd/ c

3 Download file

4 Update the script from server

5 Clean up, remove persistence and the script file

6 Upload file

7 Update wait timings in the configuration

8 Fingerprint the host. In particular, Tandis amass all the installed security products besides Defender with a WQL query

Plugin-based C ++ malware

In addition to the already enumerated scripting implants that WildPressure use, some findings are related to C ++ growths. We detected several, previously unknown, interconnected modules used to gather data on target hosts in our telemetry. The compilation times seen in this malware precedes our detection date by a large margin, and we therefore consider them to be tampered with.

The plugins we detected are rather simplistic. We will therefore focus on the implemented interface between the orchestrator and its plugins.


SHA1 FA50AC04D601BB7961CAE4ED23BE370C985723D6 File character PE32 executable( console) Intel 80386, for MS Windows

File size 87 KB

File name winloud.exe

This main module checks for the presence of a configuration file named “thumbnail.dat”. The precise directory of this configuration file differs across Windows versions 😛 TAGEND

% ALLUSERSPROFILE %\ system \ thumbnail.dat %ALLUSERSPROFILE%\Application Data \ system \ Windows \ thumbnail.dat

The orchestrator employs a timer function that runs every two minutes and parses the configuration file for the plugin file route, role epithet, etc ., and attempts to execute the corresponding plugin.

The overall communication workflow between orchestrator and the plugins

Plugins come in the form of a DLL that exports a function named accessPluginInterface (), which returns a pointer to a class object to the orchestrator. This main module then runs the second function from the virtual parts table, passing it the pointer to instantiated class objects. The plugins we’ve seen so far contained RTTI information.

Fingerprinting plugin

SHA1 c34545d89a0882bb16ea6837d7380f2c72be7209 File type PE32 executable( DLL)( GUI) Intel 80386, for MS Windows

File size 194 KB

File epithet GetClientInfo.dll

This plugin gatherings actually detailed data about the host with WQL queries and generates a JSON with a publicly available library. The data includes OS version and the determined of installed hotfixes, BIOS and HDD producers, installed and running software and security products separately, user accounts and network adapters decideds, etc. The corresponding executed WQL queries look like this 😛 TAGENDSELECT Domain, DomainRole, TotalPhysicalMemory, UserName, SystemType FROM Win32_ComputerSystem SELECT DHCPServer, DNSDomain, MACAddress, DHCPEnabled, DefaultIPGateway, IPAddress, IPSubnet FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled= ‘TRUE'”

Keylogging and screenshotting plugins

SHA1 fb7f69834ca10fe31675bbedf9f858ec45c38239 File kind PE32 executable( DLL)( GUI) Intel 80386, for MS Windows

File sizing 90.5 KB

File epithet Keylogger.dll

SHA1 2bb6d37dbba52d79b896352c37763d540038eb25 File kind PE32 executable( DLL)( GUI) Intel 80386, for MS Windows

File size 78 KB

File name ScreenShot.dll

These plugins are quite straightforward. The keylogger specifies a WH_KEYBOARD_LL hook to gather the keystrokes and gets clipboard content and Windows titles. The second takes screenshots by timer and by mouse events, determining a WH_MOUSE_LL hook.

Campaign infrastructure

The actor employed both VPS and compromised servers in their infrastructure, most of which were WordPress websites. The legitimate, compromised websites served as Guard relay servers. In our previous 2019 investigation, we were able to sinkhole the Milum C2, upiserversys1 212 [.] com. During our current investigation we managed to sinkhole another Milum C2, mwieurgbd1 14 kjuvtg [.] com. However, we haven’t registered any recent Milum petitions sent to these domains with the corresponding main.php or url.php URI.

Domain IP First seen ASN Malware

N/ A 107.158.154[.]66 2021 -0 4-07 62904, EONIX Milum 185.177.59 [.] 234
2021″ -0 4-07 44901, BELCLOUD

37.59.87 [.] 172
2014″ -1 2-26 16276, OVH

80.255.3 [.] 86 2019-08-28 201011, NETZBETRIEB

mwieurgbd1 14 kjuvtg [.] com 139.59.250[.]183

( Sinkholed) 2021-04-07

( Sinkholed) 14061, DIGITALOCEAN

Legitimate, compromised Guard relay servers 😛 TAGEND

hxxp :// adelice-formation [.] eu hxxp://ricktallis[.]com/news hxxp :// whatismyserver1 23456 [.] com hxxp://www.glisru[.]eu hxxp :// www.mozh [.] org

Who was hit and by whom

We have very limited visibility for the samples outlined in this report. Based on our telemetry, we is hypothesized that the specific objectives in the same Middle East region were related to the oil and gas industry.

We consider with high confidence that the aforementioned Tandis VBScript, PyInstaller and C ++ samples belong to the same authors that we dubbed WildPressure due to the very similar coding style and victim profile. However, a few questions remains: is WildPressure connected to other threat performers operating in the same region?

Among other actors that we’ve covered in the region Chafer and Ferocious Kitten are worth mentioning. Technically, there’s not much in common with their malware, but we find some minor similarities with another performer in areas we haven’t described publicly still further. Minor similarities with WildPressure are 😛 TAGEND

The “pk” parameter in HTTP requests to distinguish the Trojan lighthouses from, for example, scanners; The utilization of hacked WordPress websites as relays.

Both tactics aren’t unique enough to come to any attribution judgment – it’s possible both groups are simply using the same generic techniques and programming approaches.

Learn threat hunting and malware analysis with Denis Legezo and other GReAT experts.

Indicator of Compromise

Milum version 1.6.1 0efd03fb65c3f92d9af87e4caf667f8e

PyInstaller with Guard 92A11F0DCB973D1A58D45C995993D854( svchost.exe)

Self-decrypting Tandis VBScript 861655D8DCA82391530F9D406C31EEE1( l2dIIYKCQw. vbs)

Orchestrator C1 16 B3F75E12AD3555E762C7208F17B8( winloud.exe)

Plugins F2F 6604 EB9100F58E21C449AC4CC4249( ScreenShot.dll) D3 22 FAA6 4F750380DE45F518CA77CA43( Keylogger.dll) 9F8D77ECE0FF897FDFD8B00042F51A41( GetClientInfo.dll)

File paths

macOS. plist files $HOME/Library/LaunchAgents/$ HOME/ Library/ LaunchAgents/ apple.scriptzxy.plist

Config files under Windows %APPDATA%\Microsoft\grconf.dat% APPDATA %\ Microsoft \ vsdb.dat %ALLUSERSPROFILE%\system\thumbnail.dat% ALLUSERSPROFILE %\ Application Data \ system \ Windows \ thumbnail.dat

Config files under macOS $HOME/.appdata/grconf.dat

Registry values Software\Microsoft\Windows\CurrentVersion\RunOnce\gd_system

WQL queries examples SELECT* FROM Win3 2_Process WHERE Name=’ ‘ Select* from Win3 2_ComputerSystem Select* From AntiVirusProduct Select* From Win3 2_Process Where ParentProcessId=’

Milum C2 hxxp://107.158.154[.]66/core/main.php hxxp :// 185.177.59 [.] 234/ core/ main.php hxxp://37.59.87[.]172/page/view.php hxxp :/ /8 0.255.3 [.] 86/ page/ view.php hxxp://www.mwieurgbd114kjuvtg[.]com/core/main.php

[ 1 ] E.g. https :// vaab/ 2ad7051fc193167f15f85ef573e54eb9 and https :// recipes/ 65222 -run-a-task-every-few-seconds /

Read more: