Novel malware, initially identified in March 2020 and dubbed Milum, has now been retooled with a PyInstaller bundle containing a trojan dropper compatible with Windows and macOS systems, according to researchers. Compromised endpoints allow the advanced persistent threat (APT) group to download and upload files and executing commands. Kaspersky published its latest findings tied to the APT and malware, which it first discovered and reported on in March 2020. At that time, researchers noted WildPressure targeted Middle East organizations with a C++ version of a trojan it called Milum.
<p>Python-based multi-OS Trojan, which makes use of publicly available third-party code, is engineered to beacon the victim machine\’s hostname, machine architecture, and OS release name to a remote server and check for installed anti-malware products. After this, it awaits commands from the server that allows it to download and upload arbitrary files, execute commands, update the Trojan, and erase its traces from the infected host.</p>
<p> The VBScript variant, named \"Tandis,\" features similar capabilities to that of Guard and Milum, while leveraging encrypted XML over HTTP for command-and-control (C2) communications.</p>
<p> Whilst the new variants have not yet been seen on a large scale, historically the group has targeted organisations in the oil and gas industry. Therefore, going forward the best precautions for both individuals and organisations to take is to stay alert to these kinds of attacks and block any indicators of compromise.</p>