A new remote access trojan (RAT) name Milum, which had no similarities to any other known malware, was discovered in a campaign targeting organizations in the Middle East. The campaign has been dubbed WildPressure and appears to have started in late March of 2019, shortly after the first samples of Milum appear to have been created. So far researchers have not been able to find any clues in the RAT’s code which could help them link it to any known threat actors even with a low level of confidence. Both the malware’s code, C++, and the way that the data is parsed using the standard template library are extremely common in software. Unspecified fields within the malware’s code have researchers believing that the authors have plans to create a non-C++ variant of the malware as well. When different samples of Milum were analyzed, it was also noted that there was a ClientID field which was different in each sample, indicating targeted attacks rather than a random campaign. At this time, it appears that the operators behind the WildPressure campaign are only collecting data from victim networks, listing the files on computers, and stealing particular files specified by the attackers in each intrusion.
Analyst Notes
While the current state of WildPressure appears to only be information gathering, this is unlikely to be the end of the activities carried out against the campaign’s victims. In many cases, an operation like this is utilized to refine plans for the next phase of an operation. This change from information gathering to other potentially more destructive activities can happen suddenly or over a longer timeline. With the threat actors behind Milum and WildPressure being unidentified, it makes it very difficult for analysts and security experts to assess the next phase of the operation because there are no historical trends that can be effectively used in the analysis. The fact that the RAT does not appear to draw on any other previously developed RATs does indicate that the threat actors behind its creation are very capable. Often times when a newer attacker attempts to create malware, they will draw on previously created malware for structure and inspiration to help guide them through the process quickly. Creating a RAT from scratch with no similarities to other RATs indicates that this is likely not a group of amateurs or skiddies, but rather a threat actor with true abilities that should be taken seriously. More information on this incident can be found at
https://www.bleepingcomputer.com/news/security/unknown-hackers-use-new-milum-rat-in-wildpressure-campaign/
