Milum RAT

Milum RAT Description

The Milum malware is a RAT (Remote Access Trojan) that has been deployed in two operations so far. The first campaign took place in April 2019, and the following one was executed in March 2020. After studying this threat, malware researchers suspect that the Milum RAT is the creation of a highly-skilled group of individuals. It is not likely that the cybercriminals responsible for the Milum Trojan would be going after regular users. The creators of the Milum RAT will likely target big corporations and businesses. In their latest campaign called WildPressure, the authors of the Milum RAT targeted companies located in the Middle East.

It’s not often we see a completely new virus appear, but it does happen. The new Milum RAT virus shares no similarities with virus samples from earlier virus campaigns. Researchers say that Milum is being used to target organizations in an attack they call WildPressure.

Milum first appeared in the wild sometime last year, and researchers believe it was created in March 2019. The first recorded attack was in April, but the virus could have infected victims as early as May 2019.

Researchers Don’t Know Who is Behind Milum RAT

Researchers looked at the malware code, written in C++, but were unable to attribute it to any known adversary. Researchers couldn’t even hazard a guess as to who might be behind the attack.

A technical analysis of the code shows that the virus uses a standard code. Even the configuration data for the virus is common, which makes it harder to attribute to a specific threat actor or group.

The next step would be to check the victims against known attackers, but this didn’t help either. Researchers say attacks targeted Middle East targets, many of whom were in the industrial sector.

Researchers were able to sinkhole a command and control domain for the RAT in September 2019. The WildPressure campaign was tracked to upiserversys.com. Researchers noticed that the IP addresses connected to the server appeared to come from the Middle East, in particular, Iran. The addresses from other parts of the world were likely TOR exit nodes, VPN connections, and network scanners.

The Birth of a New RAT

The Milum RAT may be new, but there’s no doubt it’s fully-developed and has all the features one would expect from a trojan. The virus has everything it needs to manage an infected device remotely. The following is a list of just some of what this new RAT can do;

  • Run commands
  • Connect to servers to receive new commands
  • Find file information
  • Generate and run batch scripts to delete itself
  • Get information about the infected system
  • Pull a directory list including files
  • Automatically update itself

Researchers at Kaspersky were able to get their hands on three samples of the virus. Their analysis of the viruses showed that the strains were almost identical. The strains had a timestamp indicating they were compiled in March. While it’s possible to spoof a compilation timestamp, researchers still believe that the virus is an entirely new threat.

A key indicator that Milum is a new threat is that Milum infections didn’t appear before March 31. Another sign is that, when connected to the C2, the malware states it is version 1.0.1. A version number like that indicates that something is in the very early stages of development. The version number could also show plans to create a non-C++ version of Milum.

Researchers say that the threat actors behind Milum identify targets using a code unfamiliar to them, including “839ttttttt,” “HatLandid3,” and “HatLandid30.” The different strains had their own unique ClientIDs, which would suggest targeted attacks.

Researchers say there are no signs that Milum will be used for anything other than data collection right now. That doesn’t mean that the virus isn’t a threat, though, as the threat actors could change their plans in an instant. There’s always the potential that Milum could develop into a more severe problem that employs different attack vectors.