Kaspersky uncovers malicious trojan Milum targeting Industrial sector in Middle East

Cybersecurity company Kapersky has uncovered a malicious cyber campaign targeting the Middle East industrial sector.

The cyber campaign was first discovered by Kapersky’s global research analysis team in August. It’s goal appears to be the distribution of a malicious Trojan known as Milum that can gain remote control of devices.

The operation known as WildPressure is targeting a number of organizations including those representing the industrial sector. The attacks are still ongoing and new versions of the malware are being developed.

“Any time the industrial sector is being targeted, it’s concerning,” Kaspersky senior security researcher Denis Legezo said in a press release. “Analysts must pay attention because the consequences of an attack against an industrial target can be devastating. So far, we haven’t seen any clues that would support the idea that the attackers behind WildPressure have intentions beyond gathering information from the targeted networks. However, this campaign is still actively developing, and we’ve already discovered new malicious samples apart from the three originally discovered. At this point, we don’t know what will happen as WildPressure develops, but we will be continuing to monitor its progression.”

Kapersky’s team has added WildPressure to it’s list of advanced persistent threats. The most sophisticated types of cyber attacks fall into this category.

“Quite often, the attacker secretly gains extended access into a system to steal information or disrupt its normal operation,” Kapersky said in the release. “These attacks are typically created and deployed by actors that have access to large financial and professional resources. Given the nature of this threat, WildPressure quickly gained the attention of Kaspersky researchers.”

The nearly identical samples of the “Milum” trojan that have been discovered do not resemble other known malicious cyber campaigns in terms of code.  Analysis of the malware’s code showed that the first three samples were created in March 2019 and the attacks are believed to have begun at the end of May.

“To date, we don’t have any data regarding the Milum spreading mechanism,” Legezo wrote in a post on Kapersky’s Securelist site.  “A campaign that is, apparently, exclusively targeting entities in the Middle East (at least some of them are industrial-related) is something that automatically attracts the attention of any analyst. Any similarities should be considered weak in terms of attribution, and may simply be techniques copied from previous well-known cases. Indeed, this ‘learning from more experienced attackers’ cycle has been adopted by some interesting new actors in recent years.”

Once a system is infected with this trojan, an attacker can take control from anywhere. This can allow attackers to download and execute commands, collect information from the attacked machine and send it to the command and control server, upgrade itself to a newer version, and delete itself.

“We should also be cautious regarding the true targeting of this new set of activities, as it is probably too soon to jump to conclusions,” Legezo wrote. “The targeted nature seems to be clear, but the targeting itself might be limited by our own visibility. The malware is not exclusively designed against any kind of victim in particular and might be reused in other operations.”

Vidya Lakshmi

IndustrialCyber Editor & Features Vidya is a freelance journalist with around 10 years of experience in business journalism. She started her career reporting on U.S. equities markets and later moved to niche financial news. She developed an interest in ICS cybersecurity after researching some incidents and reading about it online.