A threat intelligence group from Kaspersky discovered a hacking campaign, distributing a malicious Trojan tracked as Milum, which is targeting industrial organizations in the Middle East. The research team described the hacking activity as APT (advanced persistent threat), which is operating under the name “WildPressure.” According to Kaspersky, signs of past infections from Milum Trojan were found in May and August 2019.
Once infected, the Milum Trojan gains remote control of the victim’s devices and performs various malicious activities like:
- Download and execute commands from its operator
- Collect various information from the attacked machine and send it over to the command and control server
- Upgrade itself to a newer version
In APT attacks, the attacker gains access to the victim’s device to steal information or disrupt its operations. Generally, APT attacks are deployed by hackers who have access to huge financial and professional resources.
Denis Legezo, Kaspersky’s Senior Security Researcher, said, “Analysts must pay attention because the consequences of an attack against an industrial target can be devastating. So far, we haven’t seen any clues that would support the idea that the attackers behind WildPressure have intentions beyond gathering information from the targeted networks. However, this campaign is still actively developing, and we’ve already discovered new malicious samples apart from the three originally discovered. At this point, we don’t know what will happen as WildPressure develops, but we will be continuing to monitor its progression.”
Recurring Cyberthreats in Middle East
This is not the first time that an APT group has targeted Middle East organizations. Cybersecurity experts stated that the Middle East countries will see an increase in APT attacks compared to other criminal activities in 2020. According to Simone Vernacchia, Head of Digital and Cybersecurity Resilience at PwC Middle East, the geopolitical tensions resulted in the rise of potential cyberthreats targeting critical national infrastructures.
A recent research stated that from May 2019, a Russian state-sponsored notorious cyber espionage threat group called Pawn Storm (also known as Fancy Bear or APT28) has been scanning servers for reusing previously compromised emails. The compromised email addresses are used to carry out phishing campaigns, targeted mainly at defense firms from the Middle East with an intent of cyber espionage.