Threat manufacturer knew as WildPressure APT has added a macOS type of malware variant to their latest campaign started targeting energy sector businesses while enlisting the compromised WordPress website to carry forward the attacks. Some novel malware was initially identified in March 2020 and dubbed Milum, has now been retooled with a Pyinstaller bundle that contains a trojan dropper compatible with Windows and macOS systems according to cybersecurity researchers. Some say that compromised endpoints allow the advanced persistent threat (APT) group to download and upload files through executing commands.
Some days before Kaspersky published its latest findings tied to the APT and malware, which it was first discovered and reported in March 2020. At that time some researchers noted WildPressure was targeting the Middle East Organisation with a C++ version of a trojan named Milum. The latest sample of Milum reveals the addition of a self-decrypting VBScript Tandis trojan, a macOS-Compatible Pyinstaller, and a multi-OS Guard trojan. A Pyinstaller bundles a macOS compatible Python application and all its dependencies into a single package,” according to a technical description. Whereas the Pyinstaller Windows executable was detected on September 1, 2020. showing version 2.2.1. However, it contains an archive with all the important libraries and a Python Trojan that works both on Windows and macOS. The original name of the script inside the Pyinstaller bundle is “Guard”.
According to Kaspersky that sinkholes new WildPressure Command and control servers in 2021. Hence WildPressure APT uses both virtual private servers and comprised servers in their infrastructure, most of which were made in WordPress websites
Researchers noted that the code used inside the Guard for encryption and network communications is OS freely, but the host persistence procedure was not independent.
For macOS, Guard decodes an XML document and creates a Plist file using its content at Home/Library/LaunchAgent/com.apple.pyapple plist to self-run, while for windows the script creates a RunOnce registry key Software\Microsoft\Windows\CurrentVersion\RunOnce\gd_sytem wrote by Kaspersky Researchers.