WildPressure Mac malware discovered by security researchers

Researchers at the cybersecurity firm Kaspersky have discovered a WildPressure Mac malware variant.

Who is WildPressure?

WildPressure is an APT group of unknown origin that operates in the Middle East.

Kaspersky first identified WildPressure as an independent threat actor in March of last year. Back then, they were tracking a malware campaign dating to mid-2019. WildPressure was attacking organizations in the Mideast, at least some of which belonged to the industrial sector.

Researchers have identified some similarities to other APT groups. However, there is still no definitive evidence to link WildPressure to a known threat actor.

What does WildPressure Mac malware do?

WildPressure’s 2019 malware campaign used the Milum trojan. Milum is written in the C++ programming language. However, when Kaspersky analyzed Milum in 2020, they noted that there was evidence to “suggest the existence of, at the very least, plans for non-C++ versions”.

That prediction turned out to be correct. Security researchers have now discovered variants of Milum written in Visual Basic Script (VBScript) as well as in the Python programming language. The Python version of the malware runs on both Windows and macOS. 

The WildPressure Mac malware variant starts by setting up a persistence mechanism (the ability to survive reboots). It also checks the local system to see if any malware detection tools are running. This is a common tactic that many families of malware use in order to avoid detection. 

The malware sends information to its command and control (C&C) server about the device’s hostname and operating system. It then awaits commands from the server. The security researchers at Kaspersky say the WildPressure Mac malware variant is capable of “typical Trojan functions”. This would include things like:

• Uploading and downloading arbitrary files
• Executing commands on a compromised Mac
• Receiving “updates” for its own components
• Taking additional steps to “cover its tracks” and avoid detection

Kaspersky’s blog provides a full technical write-up of the malware, including details about how it works on Windows operating systems.

How WildPressure Mac malware spreads

In 2019, WildPressure used a combination of virtual private servers (VPS) and their own website infrastructure in order to spread the malware.

This time, it appears that WildPressure is using both VPS as well as compromised WordPress sites (i.e. legitimate sites that have been hacked and are now being used to spread malware).

Who is at risk?

From what we know, WildPressure’s attacks appear to be targeted, and the targets tend to be industrial organizations in the Middle East. Kaspersky’s researchers believe that this latest malware campaign is aimed at the oil and gas industry in that part of the world. 

However, they note that they have “very limited visibility” into the activity of the malware samples they’re looking at. Thus they consider their own analysis of the probable target to be a “low-confidence” deduction. 

In other words, everyday Mac users outside of the Middle East are unlikely to be targeted by WildPressure Mac malware … but no one can say for sure that they are safe. This means that everyone should take the following precautions:

• Keep your version of macOS up to date so that you receive the latest security patches
• Run a regularly updated malware detection and removal tool on your Mac (MacScan 3 can detect WildPressure malware on macOS)
• Remember that even trusted sites, if compromised by a bad actor, can steal your data or spread malware
• Don’t click on, download, or run anything that comes from an unknown source
• If your Mac warns you that a file you’re about to run can’t be checked for malicious components, or that it hasn’t been properly signed, please pay attention to the warning — and whatever you do, don’t use workarounds to run the file anyway