Hidden danger waiting for MacOS users

Since August 2019, Kaspersky has been tracking the #malicious Trojan #Milum used by the advanced persistent threat (APT) actor #WildPressure active in the Middle East. #Kaspersky researchers investigating one of the most recent attacks by the Trojan horse on the industrial sector discovered new versions of the malware written in different programming languages. One of the versions can infect and run both #Windows and #macOS systems.

In the hunt for threats, many great discoveries arise from a small clue. This campaign is no exception. Typically, when a device is infected by a Trojan, the malware sends a beacon to attackers' servers with information about the device, network settings, username, and other relevant information. This helps attackers determine if the infected device is of any interest. However, during this communication, Milum also sent information about the programming language in which it was written. When Kaspersky researchers first researched the campaign in 2020, they suspected that it indicated the existence of different versions of this Trojan in different languages. Thus, this theory was confirmed.

In the spring of 2021, Kaspersky detected a new wave of attacks by WildPressure with a series of newer versions of the Milum malware. The files found included the Milum Trojan written in C++ and a corresponding Visual Basic Script ( #VBScript) variant. As investigations into the attack deepen, both Windows andmacOSAnother version of the malware, written in #Python, developed for operating systems, has surfaced. All three versions of the Trojan were able to download and execute commands from the operator, gather information, and upgrade themselves to a newer version.

Cross-platform malware that can infect devices running macOS is rare. This particular example delivers the malware with the contents of a package containing the Python library and a script named 'Guard'. This allows the malware to launch on both Windows and macOS with little additional effort. After the malware infects the device, it runs code dependent on the operating system for persistence and data collection. The script on Windows is packaged in an executable with PyInstaller. The Python Trojan can also check if security solutions are running on the device.

“WildPressure operators maintain their interest in the same geographic area,” says Denis Legezo, Senior Security Researcher at Kaspersky GReAT. The authors of the malware develop multiple versions of similar Trojans. The reason behind the development of similar malware in multiple languages ​​is likely to reduce the likelihood of detection. This strategy is not unique among APT actors, but we rarely see malware adapted to run on two systems simultaneously, even in the form of Python code. One of the targeted operating systems is macOS, which is surprising given the attackers' geographic interest.”

To protect yourself from falling victim to a targeted attack, Kaspersky experts recommend:

Don't think of the less common operating system as a shield against threats. It is essential to use a security solution alongside the systems and devices you trust.

Make sure to regularly update all software used in your organization, especially when a new security patch is released. Security products with Vulnerability Assessment and Patch Management features can help automate these processes.

Choose a security solution equipped with behavior-based detection capabilities for effective protection against known and unknown threats, including exploits.

In addition to adopting basic endpoint protection, use an enterprise-grade security solution that detects advanced network-level threats at an early stage.

Make sure your staff understand basic cybersecurity hygiene training, as many targeted attacks start with phishing or other social engineering techniques.

Picture Source:https://unsplash.com/