Never-before-seen attackers are targeting Mideast industrial organizations

reader comments

16 with 15 posters participating

Researchers have unearthed an attack campaign that uses previously unseen malware to target Middle Eastern organizations, some of which are in the industrial sector.

Researchers with Kaspersky Lab, the security firm that discovered the campaign, have dubbed it WildPressure. It uses a family of malware that has no similarities to any malicious code seen in previous attacks. It’s also targeting organizations that don’t overlap with other known campaigns.

Milum, as the malware is dubbed, is written in C++ and contains clues that suggest developers may be working on versions written in other programming languages. While Milum uses configuration data and communication mechanisms that are common among malware developers, the researchers believe that both the malware and the targets are unique.

Attention getting

“A campaign that is, apparently, exclusively targeting entities in the Middle East (at least some of them are industrial-related) is something that automatically attracts the attention of any analyst,” Kaspersky researcher Denis Legezo wrote in a post published on Tuesday. “Any similarities should be considered weak in terms of attribution and may simply be techniques copied from previous well-known cases. Indeed, this ‘learning from more experienced attackers’ cycle has been adopted by some interesting new actors in recent years.”

Milum samples show a compilation date of March 2019, a time frame that’s consistent with the first known infection on May 31, 2019. Kaspersky first spotted Milum last August.

The malware uses the RC4 encryption cipher with a different 64-bit key for each target. It also uses the JSON format for configuration data and to communicate with control servers through HTTP POSTs. Fields inside

Continue reading – Article source