New macOS-compatible malware variant from WildPressure APT

Addigy | 07/09/2021

A macOS-compatible version of the Milum trojan, part of the WildPressure Advanced Persistent Threat (APT), has recently been discovered by researchers at Kaspersky. This particular variant is in the form of a Python script called Guard.

The script itself works on both Windows and macOS as there is code specific to both operating systems.

The macOS code initially checks for an already running instance of the malware.

Then it decodes an XML file that creates a Launch Agent so that the script will start itself again if the system reboots. This is a common means for malware to establish persistence on macOS. Launch Agents are defined in PLIST files and this one is created at $HOME/Library/LaunchAgents/com.apple.pyapple.plist.

Guard collects information about the system such as running processes, security applications in the /Applications directory, OS version, and hostname.

Once this initial setup is complete, Guard will wait for commands from its various command and control (C2) servers which consists primarily of Virtual Private Servers (VPS) and compromised WordPress sites.

Guard has typical trojan functionality such as sending/receiving files, executing commands, updating, and self-removal.

According to Kaspersky researchers, the WildPressure malware campaign is primarily focused on targeting the oil and gas industry in the Middle East. So the risk of being a target of infection outside of this region is low.

At the time of this writing, no anti-virus engine on VirusTotal detects Guard.

For a full technical write-up refer to Kaspersky’s article.

Indicators of compromise for macOS include the following:

    • $HOME/Library/LaunchAgents/com.apple.pyapple.plist
    • $HOME/Library/LaunchAgents/apple.scriptzxy.plist
    • $HOME/.appdata/grconf.dat

We have created a Community Fact to help you identify machines that may have IoC’s.

You can then create a Monitoring Item with the Community Fact above and use this Community Script as auto-remediation.

How to Apply the Custom Fact & Script

Related Posts

WWDC – The most wonderful time of the year? Every June, we turn towards Cupertino and prepare for all the new things Apple will introduce. Speculation runs high on what new hardware will appear, what will the new macOS be […]
Here’s our monthly wrap-up of articles you don’t want to miss!   Using Parallels Desktop to Simplify macOS Testing – Parallels Blog If you’re a developer or IT admin, testing new software can be a time-consuming and tedious process. But […]
What Apple's Discontinuation of Fleetsmith Means for Companies
The clock is ticking for MSPs and IT teams that use Apple’s Fleetsmith Mobile Device Management (MDM). Apple announced early this year that it will discontinue the service in October, which means companies that rely on it will need to […]