We have created a Community Fact to help you identify machines that may have IoC’s. Indicators of compromise for macOS include the following:
So the risk of being a target of infection outside of this region is low.Īt the time of this writing, no anti-virus engine on VirusTotal detects Guard.įor a full technical write-up refer to Kaspersky’s article. Guard has typical trojan functionality such as sending/receiving files, executing commands, updating, and self-removal.Īccording to Kaspersky researchers, the WildPressure malware campaign is primarily focused on targeting the oil and gas industry in the Middle East. Once this initial setup is complete, Guard will wait for commands from its various command and control (C2) servers which consists primarily of Virtual Private Servers (VPS) and compromised WordPress sites. Guard collects information about the system such as running processes, security applications in the /Applications directory, OS version, and hostname. Launch Agents are defined in PLIST files and this one is created at $HOME/Library/LaunchAgents/. This is a common means for malware to establish persistence on macOS. Then it decodes an XML file that creates a Launch Agent so that the script will start itself again if the system reboots. The macOS code initially checks for an already running instance of the malware.
The script itself works on both Windows and macOS as there is code specific to both operating systems. This particular variant is in the form of a Python script called Guard. A macOS-compatible version of the Milum trojan, part of the WildPressure Advanced Persistent Threat (APT), has recently been discovered by researchers at Kaspersky.
0 kommentar(er)
