WildPressure is a new hacker group APT (Advanced Persistent Threat) that targets organizations in the Middle East by transferring them to the Milum RAT to obtain remote access. access and therefore control of the targeted device. Milum RAT detected for the first time in a campaign by its researchers Kaspersky in August 2019, while RAT was written in the programming language C ++. It is worth noting, however, that the news malware campaign does not appear to be similar to any previous campaign.
WildPressure's malware campaign targets the Middle East region
The APT hackers team has been targeting industrial sectors in the Middle East since May 2019, when the Milum RAT dissemination mechanism was not yet known. The Trojan named Milum is installed on the targeted device as an invisible toolbar window, which has a basic mode the creation of a separate one thread For communication.
Kaspersky researchers also found that malware does many zlip compression functions, such as zlibVersion, inflate or deflate.
Then, by decoding the configuration data of the targeted device, Milum obtains parameters such as "clientid" and "encrypt_key" to use in encryption RC4.
The C2 communication protocol is over HTTP and has malware version 1.0.1. This proves that it is in the early stages of development.
The RC4 algorithm is the only one algorithm encryption used with different 64 - byte keys based on the victim. Based on C2 domains (upiserversys1212 [.] com), the majority of IP visitors come from the Middle East.
To launch the campaign, APT hackers hired virtual privateers servers (VPS) from OVH and registered domains with proxy anonymization service. WildPressure seems to be a new team whose business is unique as it bears no resemblance to other malware campaigns.