WildPressure, an advanced persistent threat (APT) actor that targets businesses in the industrial sector in the Middle East, is using revamped malware that is able to infect and run on both Windows and macOS systems.
Researchers with Kaspersky have been watching WildPressure and tracking Milum, a malicious Trojan used by the group, since August 2019. Earlier this year, they identified a new WildPressure attack carried out with newer versions of Milum malware. The files discovered contained the Milum Trojan written in C++ and a corresponding Visual Basic Script (VBScript) variant. Another version they found, written in Python, was developed for Windows and macOS.
In investigating WildPressure, researchers found that Milum sends information back to the attackers' servers about the programming language in which the target device is written.
“When first investigating the campaign in 2020, Kaspersky researchers suspected that this pointed to the existence of different versions of this Trojan in different languages. Now this theory has been confirmed.”
The post notes that multi-platform malware capable of infecting devices that run on macOS is rare.
“This particular specimen was delivered in a package, which included the malware, Python library and a script named ‘Guard’. This enabled the malware to launch both on Windows and macOS with little additional efforts.”
Further investigation into this attack uncovered another version of the malware written in Python, which was developed for both Windows and macOS operating systems. All three versions of the Trojan were able to download and execute commands from the operator, collect information, and upgrade themselves to a newer version.
More information can be found here.