New Milum trojan used against Mid-Eastern targets

Kaspersky has uncovered an highly targeted attack striking a single country using a trojan written in C++ that has not been spotted before.

Dubbed Milum, the trojan shows no code similarities with known campaigns reported Kaspersky’s Threat Attribution Engine and only three instances of it have bee found and are considered all part of the same operation which received the code name operation WildPressure.

When successfully installed the trojan can enable a remote attacker to gain control of the device.

Kaspersky found the campaign in August 2019, but in September of that year Kaspersky was able to sinkhole one of the C2 servers. By doing so it could determine most of the server’s visitors came from Middle Eastern IP addresses with the remainder being network scanners, Tor exit nodes and VPN connections. The server also contained information indicating the first attacks stated at the end of May 2019.

“The compilation timestamps for all these files is the same – March 2019. This is consistent with the fact that we registered no infections before May 31, 2019, so the compilation dates don’t seem to be spoofed. For their campaign infrastructure, the operators used rented OVH and Netzbetrieb virtual private servers (VPS) and a domain registered with the Domains by Proxy anonymization service,” Kasperky said.

Unfortunately, all of the evidence compiled has not disclosed any clues as to who may be behind the attacks. The code itself is rather common and is not designed to assault any particular type of target making it difficult to decipher the attacker by considering its target.

“Their C++ code is quite common, regarding configuration data and communication protocol malware uses base64-encoded JSON-formatted configuration data stored in the binary’s resource section and parses it with Standard Template Library (STL) functions. However, these commonalities are not conclusive enough for attribution and our hypothesis is that they are merely coincidence. We will continue to monitor this activity,” Kaspersky concluded.