New macOS-compatible malware variant from WildPressure APT

Addigy | 07/09/2021

A macOS-compatible version of the Milum trojan, part of the WildPressure Advanced Persistent Threat (APT), has recently been discovered by researchers at Kaspersky. This particular variant is in the form of a Python script called Guard.

The script itself works on both Windows and macOS as there is code specific to both operating systems.

The macOS code initially checks for an already running instance of the malware.

Then it decodes an XML file that creates a Launch Agent so that the script will start itself again if the system reboots. This is a common means for malware to establish persistence on macOS. Launch Agents are defined in PLIST files and this one is created at $HOME/Library/LaunchAgents/com.apple.pyapple.plist.

Guard collects information about the system such as running processes, security applications in the /Applications directory, OS version, and hostname.

Once this initial setup is complete, Guard will wait for commands from its various command and control (C2) servers which consists primarily of Virtual Private Servers (VPS) and compromised WordPress sites.

Guard has typical trojan functionality such as sending/receiving files, executing commands, updating, and self-removal.

According to Kaspersky researchers, the WildPressure malware campaign is primarily focused on targeting the oil and gas industry in the Middle East. So the risk of being a target of infection outside of this region is low.

At the time of this writing, no anti-virus engine on VirusTotal detects Guard.

For a full technical write-up refer to Kaspersky’s article.

Indicators of compromise for macOS include the following:

    • $HOME/Library/LaunchAgents/com.apple.pyapple.plist
    • $HOME/Library/LaunchAgents/apple.scriptzxy.plist
    • $HOME/.appdata/grconf.dat

We have created a Community Fact to help you identify machines that may have IoC’s.

You can then create a Monitoring Item with the Community Fact above and use this Community Script as auto-remediation.

How to Apply the Custom Fact & Script

Related Posts

Growing organizations and businesses must overcome numerous challenges associated with scaling their needs. This process includes regularly recruiting and hiring new employees, in addition to keeping up with the technology requirements of those new staff members. Whether you want to […]
Today’s IT managers and admins have a lot of boxes to check if they want to help an organization grow and scale. Managing devices, employee credentials and identification, and security processes are top priorities for enterprise business. With Apple ID […]
Keeping track of IT and technological assets within an organization is a huge undertaking, particularly as the digital world continually expands. While every workplace is unique in its approach to operations, most businesses want to keep tabs on essential things […]