Our previous story considering WildPressure was dedicated to their campaign against industrial-related targets in the Middle East. By keeping track of their malware in spring 2021, we were able to find a most current version. It contains the C ++ Milum Trojan, a corresponding VBScript variant with the same version( 1.6.1) and a situated of modules that include an orchestrator and three plugins. This substantiates our previous assumption that there are more last-stagers besides the C ++ ones, based a field in the C2 communication protocol that contains the “client” programming language.
Another language used by WildPressure is Python. The PyInstaller module for Windows contains a script named “Guard”. Perhaps the most interesting finding here is that this malware was developed for both Windows and macOS operating systems. The coding style, overall design and C2 communication protocol is quite recognizable across all three programming language used by the authors.
The versioning system are demonstrating that the malware used by WildPressure is still under active developing. Besides commercial VPS, this time the operators used compromised legitimate WordPress websites. With low confidence this time, we believe their targets to be in the oil and gas industry. If previously the operators use readable “clientids” like “HatLandid3”, the new ones we observed in the Milum samples appear to be randomized like “5CU5EQLOSI” and “C29QoCli33jjxtb”.
Although we couldn’t associate WildPressure’s activity with other threat performers, we did find minor similarities in the TTPs used by BlackShadow, which is also active in the same region. However, we consider that these similarities serve as minor ties and are not enough to making such a attribution.
Python multi-OS Trojan
File size 3.3 MB
File epithet svchost.exe
This PyInstaller Windows executable was detected in our telemetry on September 1, 2020, presentation version 2.2.1. It contains an archive with all the necessary libraries and a Python Trojan that works both on Windows and macOS. The original name of the script inside this PyInstaller bundle is “Guard”. The malware authors extensively relied on publicly available third-party code[ 1 ] to create it. Near the enter degree one can find the first operating system-dependent code, which checks on macOS if another instance of the Trojan is running.
macOS-specific code snippet to check if another Trojan instance is already running
The Guard class constructor contains initial values, such as an XOR key( enc_key field) to decrypt the configuration. In this sample, it is set to decimal 110 and the C2 message type( answer_type_value field) to “Check”. The code that initializes class members for encryption and network communications is OS independent, but perseverance techniques aren’t.
For macOS, Guard decodes an XML document and makes a plist file using the content of the report at$ HOME/ Library/ LaunchAgents/ com.apple.pyapple.plist to autorun itself; while for Windows, the script makes a RunOnce registry key Software \ Microsoft \ Windows \ CurrentVersion \ RunOnce \ gd_system. We furnish the full list of persistence IoCs at the end of this article.
For fingerprinting Windows and macOS operating systems, Guard employs standard Python libraries. Beacon data for the C2 contains the hostname, machine architecture, OS release name. To fingerprint Windows targets, Guard likewise applies WQL( WMI Query Language) requests similarly to Milum and WMIC command line utility features. For instance, to distinguish the installed security products it executes the following command 😛 TAGENDcmd/ c wmic/ NAMESPACE :\ \\\ root \ SecurityCenter2 PATH AntiVirusProduct GET displayName, productUptoDate/ Format: List
On macOS, Guard itemizes operating processes applying the” ls/ Applications” command and compares the research results against a list of security answers: [” kaspersky security.app “,” kaspersky anti-virus for mac.app”, “intego”, ” sophos anti-virus.app”, “virusbarrier.app”,” mcafee internet security.app “]
Guard’s configuration data has to start with the string “* grds *”. Below is a comparison between different WildPressure sample parameters, including magical values used to pre- and post-fix the configuration data.
Parameter C++ Milum Python Guard VBScript Tandis
Version 1.0.1- 1.6.1 2.2.1 1.6.1
Serial Comparable to “clientid” with values like “HatLandid3” 1—–C29QoCli—————- 1—–Tandis_7—————-
Relays List of. php pages hosted on VPS List of hacked WordPress websites List of hacked WordPress websites
Encoded configuration start \ objective (ws32)( we32) *grds** grde* Configuration embedded inside the script
These prefix and suffix values allowed us to decode Mulim and Guard configuration data as well as the self-decrypted Tandis with Bash and Python scripts. Following configuration parsing, the Trojan is ready for its main working cycle. It awaits commands from its C2 that are XML-based and XOR-encrypted with the aforementioned decimal value 110. Among them are typical Trojan roles: downloading files, uploading files, executing commands with the OS command interpreter, updating the Trojan and cleaning up the target.
VBScript self-decrypted variant
SHA1 CD7904E6D59142F209BD248D21242E3740999A0D File kind Self-decrypting VBScript
File sizing 51 KB
File epithet l2dIIYKCQw.vbs
We named the Tandis Trojan after its “serial” configuration parameter. This VBScript Trojan version is Windows-only and relies much more on WQL queries than Guard. It was first detected in our telemetry on September 1, 2020, demonstrate version 1.6.1. The abilities, parameters and operating cycle are quite similar to Guard and other WildPressure malware.
The persistence is again system registry-based( please check the IoCs at the end ). The role HexToBin() is in charge of the additional encryption used inside the script for some strings and C2 communication. The basic unhexlify-XOR algorithm is the same as in the initial self-decryption; and to read plain text we utilized the same aforementioned script with matching key( again 110 decimal, stored in a class data member ). The C2 communication protocol is” encrypted XML over HTTP”( applying Msxml2. XMLHTTP and Msxml2. DOMDocument objects ).
Below are the commands that Tandis supports 😛 TAGEND
Command Description 1 Wait 2 Silently execute command with interpreter with cmd/ c
3 Download file
4 Update the script from server
5 Clean up, remove persistence and the script file
6 Upload file
7 Update wait timings in the configuration
8 Fingerprint the host. In particular, Tandis amass all the installed security products besides Defender with a WQL query
Plugin-based C ++ malware
In addition to the already enumerated scripting implants that WildPressure use, some findings are related to C ++ growths. We detected several, previously unknown, interconnected modules used to gather data on target hosts in our telemetry. The compilation times seen in this malware precedes our detection date by a large margin, and we therefore consider them to be tampered with.
The plugins we detected are rather simplistic. We will therefore focus on the implemented interface between the orchestrator and its plugins.
File size 87 KB
File name winloud.exe
The orchestrator employs a timer function that runs every two minutes and parses the configuration file for the plugin file route, role epithet, etc ., and attempts to execute the corresponding plugin.
The overall communication workflow between orchestrator and the plugins
Plugins come in the form of a DLL that exports a function named accessPluginInterface (), which returns a pointer to a class object to the orchestrator. This main module then runs the second function from the virtual parts table, passing it the pointer to instantiated class objects. The plugins we’ve seen so far contained RTTI information.
File size 194 KB
File epithet GetClientInfo.dll
This plugin gatherings actually detailed data about the host with WQL queries and generates a JSON with a publicly available library. The data includes OS version and the determined of installed hotfixes, BIOS and HDD producers, installed and running software and security products separately, user accounts and network adapters decideds, etc. The corresponding executed WQL queries look like this 😛 TAGENDSELECT Domain, DomainRole, TotalPhysicalMemory, UserName, SystemType FROM Win32_ComputerSystem SELECT DHCPServer, DNSDomain, MACAddress, DHCPEnabled, DefaultIPGateway, IPAddress, IPSubnet FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled= ‘TRUE'”
Keylogging and screenshotting plugins
File sizing 90.5 KB
File epithet Keylogger.dll
File size 78 KB
File name ScreenShot.dll
These plugins are quite straightforward. The keylogger specifies a WH_KEYBOARD_LL hook to gather the keystrokes and gets clipboard content and Windows titles. The second takes screenshots by timer and by mouse events, determining a WH_MOUSE_LL hook.
The actor employed both VPS and compromised servers in their infrastructure, most of which were WordPress websites. The legitimate, compromised websites served as Guard relay servers. In our previous 2019 investigation, we were able to sinkhole the Milum C2, upiserversys1 212 [.] com. During our current investigation we managed to sinkhole another Milum C2, mwieurgbd1 14 kjuvtg [.] com. However, we haven’t registered any recent Milum petitions sent to these domains with the corresponding main.php or url.php URI.
Domain IP First seen ASN Malware
N/ A 107.158.154[.]66 2021 -0 4-07 62904, EONIX Milum 185.177.59 [.] 234
2021″ -0 4-07 44901, BELCLOUD
37.59.87 [.] 172
2014″ -1 2-26 16276, OVH
80.255.3 [.] 86 2019-08-28 201011, NETZBETRIEB
mwieurgbd1 14 kjuvtg [.] com 139.59.250[.]183
( Sinkholed) 2021-04-07
( Sinkholed) 14061, DIGITALOCEAN
Legitimate, compromised Guard relay servers 😛 TAGEND
hxxp :// adelice-formation [.] eu hxxp://ricktallis[.]com/news hxxp :// whatismyserver1 23456 [.] com hxxp://www.glisru[.]eu hxxp :// www.mozh [.] org
Who was hit and by whom
We have very limited visibility for the samples outlined in this report. Based on our telemetry, we is hypothesized that the specific objectives in the same Middle East region were related to the oil and gas industry.
We consider with high confidence that the aforementioned Tandis VBScript, PyInstaller and C ++ samples belong to the same authors that we dubbed WildPressure due to the very similar coding style and victim profile. However, a few questions remains: is WildPressure connected to other threat performers operating in the same region?
Among other actors that we’ve covered in the region Chafer and Ferocious Kitten are worth mentioning. Technically, there’s not much in common with their malware, but we find some minor similarities with another performer in areas we haven’t described publicly still further. Minor similarities with WildPressure are 😛 TAGEND
The “pk” parameter in HTTP requests to distinguish the Trojan lighthouses from, for example, scanners; The utilization of hacked WordPress websites as relays.
Both tactics aren’t unique enough to come to any attribution judgment – it’s possible both groups are simply using the same generic techniques and programming approaches.
Learn threat hunting and malware analysis with Denis Legezo and other GReAT experts.
Indicator of Compromise
Milum version 1.6.1 0efd03fb65c3f92d9af87e4caf667f8e
PyInstaller with Guard 92A11F0DCB973D1A58D45C995993D854( svchost.exe)
Self-decrypting Tandis VBScript 861655D8DCA82391530F9D406C31EEE1( l2dIIYKCQw. vbs)
Orchestrator C1 16 B3F75E12AD3555E762C7208F17B8( winloud.exe)
Config files under Windows %APPDATA%\Microsoft\grconf.dat% APPDATA %\ Microsoft \ vsdb.dat %ALLUSERSPROFILE%\system\thumbnail.dat% ALLUSERSPROFILE %\ Application Data \ system \ Windows \ thumbnail.dat
WQL queries examples SELECT* FROM Win3 2_Process WHERE Name=’
Milum C2 hxxp://107.158.154[.]66/core/main.php hxxp :// 185.177.59 [.] 234/ core/ main.php hxxp://37.59.87[.]172/page/view.php hxxp :/ /8 0.255.3 [.] 86/ page/ view.php hxxp://www.mwieurgbd114kjuvtg[.]com/core/main.php