New macOS-compatible malware variant from WildPressure APT
A macOS-compatible version of the Milum trojan, part of the WildPressure Advanced Persistent Threat (APT), has recently been discovered by researchers at Kaspersky. This particular variant is in the form of a Python script called Guard.
The script itself works on both Windows and macOS as there is code specific to both operating systems.
The macOS code initially checks for an already running instance of the malware.
Then it decodes an XML file that creates a Launch Agent so that the script will start itself again if the system reboots. This is a common means for malware to establish persistence on macOS. Launch Agents are defined in PLIST files and this one is created at $HOME/Library/LaunchAgents/com.apple.pyapple.plist.
Guard collects information about the system such as running processes, security applications in the /Applications directory, OS version, and hostname.
Once this initial setup is complete, Guard will wait for commands from its various command and control (C2) servers which consists primarily of Virtual Private Servers (VPS) and compromised WordPress sites.
Guard has typical trojan functionality such as sending/receiving files, executing commands, updating, and self-removal.
According to Kaspersky researchers, the WildPressure malware campaign is primarily focused on targeting the oil and gas industry in the Middle East. So the risk of being a target of infection outside of this region is low.
At the time of this writing, no anti-virus engine on VirusTotal detects Guard.
For a full technical write-up refer to Kaspersky’s article.
Indicators of compromise for macOS include the following:
-
- $HOME/Library/LaunchAgents/com.apple.pyapple.plist
- $HOME/Library/LaunchAgents/apple.scriptzxy.plist
- $HOME/.appdata/grconf.dat
We have created a Community Fact to help you identify machines that may have IoC’s.
You can then create a Monitoring Item with the Community Fact above and use this Community Script as auto-remediation.
