Threat Management, Threat Intelligence, Malware
New Milum trojan used against Mid-Eastern targets
Kaspersky has uncovered an highly targeted attack striking a single country using a trojan written in C++ that has not been spotted before.Dubbed Milum, the trojan shows
no code similarities with known campaigns reported Kaspersky’s Threat
Attribution Engine and only three instances of it have bee found and are
considered all part of the same operation which received the code name
operation WildPressure.When successfully installed
the trojan can enable a remote attacker to gain control of the device.Kaspersky found the campaign in August 2019, but in September of that year Kaspersky was able to sinkhole one of the C2 servers. By doing so it could determine most of the server’s visitors came from Middle Eastern IP addresses with the remainder being network scanners, Tor exit nodes and VPN connections. The server also contained information indicating the first attacks stated at the end of May 2019. “The compilation timestamps
for all these files is the same – March 2019. This is consistent with the fact
that we registered no infections before May 31, 2019, so the compilation dates
don’t seem to be spoofed. For their campaign infrastructure, the operators used
rented OVH and Netzbetrieb virtual private servers (VPS) and a domain
registered with the Domains by Proxy anonymization service,” Kasperky said.Unfortunately, all of the
evidence compiled has not disclosed any clues as to who may be behind the attacks.
The code itself is rather common and is not designed to assault any particular
type of target making it difficult to decipher the attacker by considering its
target.“Their C++ code is quite
common, regarding configuration data and communication protocol malware uses
base64-encoded JSON-formatted configuration data stored in the binary’s
resource section and parses it with Standard Template Library (STL) functions.
However, these commonalities are not conclusive enough for attribution and our
hypothesis is that they are merely coincidence. We will continue to monitor
this activity,” Kaspersky concluded.
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds