SYMBOLCOMMON_NAMEaka. SYNONYMS
win.milum (Back to overview)

Milum


In August 2019, Kaspersky Labs discovered a malware they dubbed Milum (naming based on internal file name fragments) when investigating an operation they named WildPressure. It is written in C++ using STL, primarily to parse JSON. Functionality includes bidirectional file transmission and remote command execution.

References
2021-07-07KasperskyDenis Legezo
@online{legezo:20210707:wildpressure:0bdf5ef, author = {Denis Legezo}, title = {{WildPressure targets the macOS platform}}, date = {2021-07-07}, organization = {Kaspersky}, url = {https://securelist.com/wildpressure-targets-macos/103072/}, language = {English}, urldate = {2021-07-09} } WildPressure targets the macOS platform
Milum
2020-09-24Kaspersky LabsKaspersky Lab ICS CERT
@techreport{cert:20200924:threat:2d7986d, author = {Kaspersky Lab ICS CERT}, title = {{Threat landscape for industrial automation systems - H1 2020}}, date = {2020-09-24}, institution = {Kaspersky Labs}, url = {https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf}, language = {English}, urldate = {2020-10-04} } Threat landscape for industrial automation systems - H1 2020
Poet RAT Mailto Milum RagnarLocker REvil Ryuk Snake
2020-03-24Kaspersky LabsDenis Legezo
@online{legezo:20200324:wildpressure:add6905, author = {Denis Legezo}, title = {{WildPressure targets industrial-related entities in the Middle East}}, date = {2020-03-24}, organization = {Kaspersky Labs}, url = {https://securelist.com/wildpressure-targets-industrial-in-the-middle-east/96360/}, language = {English}, urldate = {2020-03-26} } WildPressure targets industrial-related entities in the Middle East
Milum
Yara Rules
[TLP:WHITE] win_milum_auto (20211008 | Detects win.milum.)
rule win_milum_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.milum."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.milum"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 7568 8b561c 837a2c00 7449 8b4614 8d4802 }
            // n = 6, score = 400
            //   7568                 | jne                 0x6a
            //   8b561c               | mov                 edx, dword ptr [esi + 0x1c]
            //   837a2c00             | cmp                 dword ptr [edx + 0x2c], 0
            //   7449                 | je                  0x4b
            //   8b4614               | mov                 eax, dword ptr [esi + 0x14]
            //   8d4802               | lea                 ecx, dword ptr [eax + 2]

        $sequence_1 = { e8???????? 8b5598 83c404 52 e8???????? 83c404 c645fc04 }
            // n = 7, score = 400
            //   e8????????           |                     
            //   8b5598               | mov                 edx, dword ptr [ebp - 0x68]
            //   83c404               | add                 esp, 4
            //   52                   | push                edx
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   c645fc04             | mov                 byte ptr [ebp - 4], 4

        $sequence_2 = { 46 85c0 75f0 833cb5385e460000 7504 33c0 eb55 }
            // n = 7, score = 400
            //   46                   | inc                 esi
            //   85c0                 | test                eax, eax
            //   75f0                 | jne                 0xfffffff2
            //   833cb5385e460000     | cmp                 dword ptr [esi*4 + 0x465e38], 0
            //   7504                 | jne                 6
            //   33c0                 | xor                 eax, eax
            //   eb55                 | jmp                 0x57

        $sequence_3 = { e8???????? 83c40c 8a45cc 8ac8 2403 c0e004 8ad0 }
            // n = 7, score = 400
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   8a45cc               | mov                 al, byte ptr [ebp - 0x34]
            //   8ac8                 | mov                 cl, al
            //   2403                 | and                 al, 3
            //   c0e004               | shl                 al, 4
            //   8ad0                 | mov                 dl, al

        $sequence_4 = { 0fb64001 884102 0fb69690a64600 885103 0fb68691a64600 5b 5f }
            // n = 7, score = 400
            //   0fb64001             | movzx               eax, byte ptr [eax + 1]
            //   884102               | mov                 byte ptr [ecx + 2], al
            //   0fb69690a64600       | movzx               edx, byte ptr [esi + 0x46a690]
            //   885103               | mov                 byte ptr [ecx + 3], dl
            //   0fb68691a64600       | movzx               eax, byte ptr [esi + 0x46a691]
            //   5b                   | pop                 ebx
            //   5f                   | pop                 edi

        $sequence_5 = { ff15???????? c9 c20800 8bff 56 8bf1 85f6 }
            // n = 7, score = 400
            //   ff15????????         |                     
            //   c9                   | leave               
            //   c20800               | ret                 8
            //   8bff                 | mov                 edi, edi
            //   56                   | push                esi
            //   8bf1                 | mov                 esi, ecx
            //   85f6                 | test                esi, esi

        $sequence_6 = { 47 895de4 897db8 eb63 3c31 0f8ca8010000 }
            // n = 6, score = 400
            //   47                   | inc                 edi
            //   895de4               | mov                 dword ptr [ebp - 0x1c], ebx
            //   897db8               | mov                 dword ptr [ebp - 0x48], edi
            //   eb63                 | jmp                 0x65
            //   3c31                 | cmp                 al, 0x31
            //   0f8ca8010000         | jl                  0x1ae

        $sequence_7 = { 720d 8b45fc 8a044591a64600 8806 46 817d0c18090000 7217 }
            // n = 7, score = 400
            //   720d                 | jb                  0xf
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   8a044591a64600       | mov                 al, byte ptr [eax*2 + 0x46a691]
            //   8806                 | mov                 byte ptr [esi], al
            //   46                   | inc                 esi
            //   817d0c18090000       | cmp                 dword ptr [ebp + 0xc], 0x918
            //   7217                 | jb                  0x19

        $sequence_8 = { 885d08 8bc6 8b4df4 64890d00000000 59 5f 5e }
            // n = 7, score = 400
            //   885d08               | mov                 byte ptr [ebp + 8], bl
            //   8bc6                 | mov                 eax, esi
            //   8b4df4               | mov                 ecx, dword ptr [ebp - 0xc]
            //   64890d00000000       | mov                 dword ptr fs:[0], ecx
            //   59                   | pop                 ecx
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi

        $sequence_9 = { 895e38 895e3c 895e40 885dfc 837e3010 720c 8b461c }
            // n = 7, score = 400
            //   895e38               | mov                 dword ptr [esi + 0x38], ebx
            //   895e3c               | mov                 dword ptr [esi + 0x3c], ebx
            //   895e40               | mov                 dword ptr [esi + 0x40], ebx
            //   885dfc               | mov                 byte ptr [ebp - 4], bl
            //   837e3010             | cmp                 dword ptr [esi + 0x30], 0x10
            //   720c                 | jb                  0xe
            //   8b461c               | mov                 eax, dword ptr [esi + 0x1c]

    condition:
        7 of them and filesize < 1076224
}
Download all Yara Rules