A new remote access trojan (RAT) name Milum, which had no similarities to any other known malware, was discovered in a campaign targeting organizations in the Middle East. The campaign has been dubbed WildPressure and appears to have started in late March of 2019, shortly after the first samples of Milum appear to have been created. So far researchers have not been able to find any clues in the RAT’s code which could help them link it to any known threat actors even with a low level of confidence. Both the malware’s code, C++, and the way that the data is parsed using the standard template library are extremely common in software. Unspecified fields within the malware’s code have researchers believing that the authors have plans to create a non-C++ variant of the malware as well. When different samples of Milum were analyzed, it was also noted that there was a ClientID field which was different in each sample, indicating targeted attacks rather than a random campaign. At this time, it appears that the operators behind the WildPressure campaign are only collecting data from victim networks, listing the files on computers, and stealing particular files specified by the attackers in each intrusion.
Written by: Nataliia Zdrok, Threat Intelligence Analyst at Binary Defense Russia’s invasion of Ukraine increased