WildPressure APT

Back in 2019, a threatening campaign deploying a fully-fledged Trojan threat against industry-related targets in the Middle East failed to match the TTPs (Tactics, Techniques, and Procedures) of the already established threat actors in the region. As a result, it was attributed to a newly established ATP (Advanced Persistent Threat) group given the designation WildPressure. 

Since this initial operation, the hackers appear to have spent quite a lot of effort into expanding and improving their arsenal of harmful tools. Indeed, a new campaign bearing the signs of WildPressure is now deploying several never-before-seen malware threats, one of which is capable of compromising macOS systems. The victims are once again from the Middle East and with a tentative estimation of them being related to the oil and gas sector. 

WildPressure also has diversified its infrastructure. The 2019 operation consisted of VPS (Virtual Private Servers) while the current campaign also includes several legitimate WordPress sites that have been compromised. Among them are 'hxxp://adelice-formation[.]eu,' 'hxxp://ricktallis[.]com/news,' 'hxxp://whatismyserver123456[.]com,' 'hxxp://www.glisru[.]eu,' and 'hxxp://www.mozh[.]org.'

The Milum Trojan

The original Trojan threat was dropped by WildPressure. It is written in C++ and uses the JSON format for its configuration data. The same format also is employed in the communication with the Command-and-Control (C2, C&C) server. The only encryption observed in Milum is RC4 but the threat uses a different 64-byte key for each victim. On the compromised device, the Trojan takes the form of an invisible toolbar window. Its threatening capabilities include executing received commands, uploading data to the server, getting file and system details, generating and executing a batch script that removes Milum from the system as well as updating itself if a new version is released by the hackers.

The Guard Trojan

This malware threat is written in Python and can infect both Windows and macOS systems. It seems that while creating it, the WildPressure hackers were heavily inspired and relied upon publicly available third-party code. Overall the threat shares quite a lot of similarities with the other WildPressure tools especially when it comes to the coding style, its design, and the C2 communication protocol. Infosec researchers believe that the Guard Trojan is still under active development. 

One of the first functions activated specifically on macOS devices is to determine whether another instance of the Trojan isn't already running. The persistence mechanism is understandably also different. On Windows devices, the Trojan creates a RunOnce registry key Software\Microsoft\Windows\CurrentVersion\RunOnce\gd_system. For macOS systems, however, Guard decodes an XML document and then generates a plist file. The malware then uses the contents of that file at $HOME/Library/LaunchAgents/com.apple.pyapple.plist to automatically run itself.  The threat also employs separate methods for obtaining details about the system depending on the OS. As for its capabilities, Guard can be instructed to download additional files to the breached system, upload files of interest to the C2 server, execute commands, fetch a new version, or perform a cleanup routine to remove its traces from the system.  

The Tandis Trojan

Tandis is a self-decrypting VBScript threat. Compared to the Guard Trojan, Tandis targets only Windows systems and relies heavily on WQL queries. However, otherwise, its functionality is largely consistent with that of Guard and the other WildPressure threats. It achieves persistence via system registries and is capable of stealthily executing commands, dropping additional payloads to the system, uploading chosen files updating itself, running a cleanup routine, and fingerprinting the host. More specifically, Tandis looks for all installed security products with the exception of Defender. 

Malicious C++ plugins

Several simplistic interconnected modules written in C++ have also been discovered. They consist of an Orchestrator and several plugins performing specific tasks. The main module (Orchestrator) checks if a configuration file named 'thumbnail.dat' is present on the breached device. The exact location of this file varies depending on the version of the Windows OS. The Orchestrator runs every two minutes and scans the configuration file for the required information to execute a specific plugin. 

The corrupted plugins take the form of DLLs. One of the discovered plugins is capable of obtaining extremely detailed information about the system via WQL queries. The collected data includes the OS version, installed OS hotfixes, BIOS and HDD manufacturers, all installed and currently running software products, installed and running security products, user accounts, network adapters settings and more. Two additional plugins are tasked with establishing keylogging routines. The first one sets a WH_KEYBOARD_LL hook and can then capture keystrokes as well as intercept clipboard content and WIndows titles. The other plugin is responsible for taking screenshots of the system depending on timer and mouse events by setting a WH_MOUSE_LL hook.