WildPressure APT – New Malware Emerges

A malicious campaign that set its sights on industrial-related entities in the Middle East since 2019 has surfaced with an upgraded malware toolset, called WildPressure, to strike both Windows and macOS operating systems, symbolizing expansion in both its targets and its strategy around disturbing threats.

The WildPressure campaign traces back to a super-speedy malware attack from February 12, 2019, that, up until now, has managed to infect hundreds of victims around the world. It was detected by McAfee Labs researchers by combining its unique autonomous exploitation capabilities with its Threat Intelligence partnerships and a closer look at the actors behind it.

Analysis of this campaign has revealed that it is one of the first campaigns in recent years to come out from under the covers and use not only traditional malware but WildPressure also an APT-like modus operandi on a large scale in order to achieve success.

The campaign spreads rapidly through the sophisticated use of social media platforms such as Twitter and Facebook, along with leveraging YouTube and Google+ accounts. This method of spread has allowed it to reach a broader audience than other attacks using the same malware.

The attack can be described as a multi-stage process that starts with a file containing malicious macros, similar to what was seen in the attacks on US government agencies in 2017.

The embedded macro scripts secretly download an executable file (MS Word document) to the victim’s computer upon opening the document. This file installs a copy of CoinMiner, which is essentially a cryptocurrency miner.

Once the malware has been installed on the target’s computer, it reports back to a C2 server located under the control of the threat actor and performs various actions.

The analysis shows that this WildPressure attack is not driven by monetary gain, but rather for cyber espionage purposes. The malware contains functionality to steal information such as browsing history, screenshots, and network traffic information. After it collects the necessary data featuring valuable intelligence, it sends them back to its C2 server via HTTP POST protocol by sending a POST request containing an encrypted body of text with instructions on how to decode it.

The campaign relies on a delivery mechanism consisting of an enhanced version of the Cobalt Strike framework that is distributed in the form of template files with malicious macros. This framework has been used in numerous campaigns over the last few years and has been attributed to threat actors from Iran, Russia, and various APT groups.

However, this attack differs from previous ones as it uses several features not seen before in previous Cobalt Strike attacks:

• · A very fast execution speed similar to that used by self-propagating malware. The macro code executes very quickly after opening the document, allowing it to bypass defenses and security software.
• · A specific feature that allows for the creation of an encrypted tunnel allowing a C2 server to gather and send data back to the attacker. This promotes its ability to be used for cyber espionage purposes.
• · The use of a binary file, which is used as a decryption key for the PHP script that decrypts and sends back information with instructions on how to decode it. This is similar to what was seen from APT actors in previous campaigns and demonstrates an expansion in tactics in order to be more efficient at its goals.
• By combining these features, the malware can stay active on infected desktops without being discovered by security software or antivirus programs because it runs as a background process.
• This campaign demonstrates that the threat landscape has changed and indicates that adversaries will continue to adapt their strategies to create newer multi-stage attacks in order to hide their true intentions and achieve their goals.

Interested in learning more about malware today? Malware Variations – Sophisticated in 2021 discusses malware today in 2021 and how important the right cybersecurity is for your business.

If you would like liquidvideotechnologies.com to discuss developing your Home Security System, Networking, Access Control, Fire, IT consultant, or PCI Compliance, please do not hesitate to call us at 864-859-9848 or you can email us at deveren@liquidvideotechnologies.com.