SYMBOLCOMMON_NAMEaka. SYNONYMS
win.milum (Back to overview)

Milum


In August 2019, Kaspersky Labs discovered a malware they dubbed Milum (naming based on internal file name fragments) when investigating an operation they named WildPressure. It is written in C++ using STL, primarily to parse JSON. Functionality includes bidirectional file transmission and remote command execution.

References
2021-07-07KasperskyDenis Legezo
@online{legezo:20210707:wildpressure:0bdf5ef, author = {Denis Legezo}, title = {{WildPressure targets the macOS platform}}, date = {2021-07-07}, organization = {Kaspersky}, url = {https://securelist.com/wildpressure-targets-macos/103072/}, language = {English}, urldate = {2021-07-09} } WildPressure targets the macOS platform
Guard Milum
2020-09-24Kaspersky LabsKaspersky Lab ICS CERT
@techreport{cert:20200924:threat:2d7986d, author = {Kaspersky Lab ICS CERT}, title = {{Threat landscape for industrial automation systems - H1 2020}}, date = {2020-09-24}, institution = {Kaspersky Labs}, url = {https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf}, language = {English}, urldate = {2020-10-04} } Threat landscape for industrial automation systems - H1 2020
Poet RAT Mailto Milum RagnarLocker REvil Ryuk Snake
2020-03-24Kaspersky LabsDenis Legezo
@online{legezo:20200324:wildpressure:add6905, author = {Denis Legezo}, title = {{WildPressure targets industrial-related entities in the Middle East}}, date = {2020-03-24}, organization = {Kaspersky Labs}, url = {https://securelist.com/wildpressure-targets-industrial-in-the-middle-east/96360/}, language = {English}, urldate = {2020-03-26} } WildPressure targets industrial-related entities in the Middle East
Milum
Yara Rules
[TLP:WHITE] win_milum_auto (20220411 | Detects win.milum.)
rule win_milum_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-04-08"
        version = "1"
        description = "Detects win.milum."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.milum"
        malpedia_rule_date = "20220405"
        malpedia_hash = "ecd38294bd47d5589be5cd5490dc8bb4804afc2a"
        malpedia_version = "20220411"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 0f85c1000000 8b7608 385e44 751c c6424401 c6464401 8b5104 }
            // n = 7, score = 400
            //   0f85c1000000         | jne                 0xc7
            //   8b7608               | mov                 esi, dword ptr [esi + 8]
            //   385e44               | cmp                 byte ptr [esi + 0x44], bl
            //   751c                 | jne                 0x1e
            //   c6424401             | mov                 byte ptr [edx + 0x44], 1
            //   c6464401             | mov                 byte ptr [esi + 0x44], 1
            //   8b5104               | mov                 edx, dword ptr [ecx + 4]

        $sequence_1 = { e8???????? 83c404 8945ec 33db 3bc3 7469 8b4e04 }
            // n = 7, score = 400
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   8945ec               | mov                 dword ptr [ebp - 0x14], eax
            //   33db                 | xor                 ebx, ebx
            //   3bc3                 | cmp                 eax, ebx
            //   7469                 | je                  0x6b
            //   8b4e04               | mov                 ecx, dword ptr [esi + 4]

        $sequence_2 = { 46 85c0 75f0 833cb5385e460000 7504 33c0 eb55 }
            // n = 7, score = 400
            //   46                   | inc                 esi
            //   85c0                 | test                eax, eax
            //   75f0                 | jne                 0xfffffff2
            //   833cb5385e460000     | cmp                 dword ptr [esi*4 + 0x465e38], 0
            //   7504                 | jne                 6
            //   33c0                 | xor                 eax, eax
            //   eb55                 | jmp                 0x57

        $sequence_3 = { 8a0a 42 3acb 75f9 2bd0 52 8d942440030000 }
            // n = 7, score = 400
            //   8a0a                 | mov                 cl, byte ptr [edx]
            //   42                   | inc                 edx
            //   3acb                 | cmp                 cl, bl
            //   75f9                 | jne                 0xfffffffb
            //   2bd0                 | sub                 edx, eax
            //   52                   | push                edx
            //   8d942440030000       | lea                 edx, dword ptr [esp + 0x340]

        $sequence_4 = { c7450c00000000 7439 8b4b28 8b4628 ba01000000 d3e2 8b4e20 }
            // n = 7, score = 400
            //   c7450c00000000       | mov                 dword ptr [ebp + 0xc], 0
            //   7439                 | je                  0x3b
            //   8b4b28               | mov                 ecx, dword ptr [ebx + 0x28]
            //   8b4628               | mov                 eax, dword ptr [esi + 0x28]
            //   ba01000000           | mov                 edx, 1
            //   d3e2                 | shl                 edx, cl
            //   8b4e20               | mov                 ecx, dword ptr [esi + 0x20]

        $sequence_5 = { 895e18 885e08 8b4df4 64890d00000000 59 5e 5b }
            // n = 7, score = 400
            //   895e18               | mov                 dword ptr [esi + 0x18], ebx
            //   885e08               | mov                 byte ptr [esi + 8], bl
            //   8b4df4               | mov                 ecx, dword ptr [ebp - 0xc]
            //   64890d00000000       | mov                 dword ptr fs:[0], ecx
            //   59                   | pop                 ecx
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx

        $sequence_6 = { 50 8d8528ffffff 50 57 e8???????? c645fc20 }
            // n = 6, score = 400
            //   50                   | push                eax
            //   8d8528ffffff         | lea                 eax, dword ptr [ebp - 0xd8]
            //   50                   | push                eax
            //   57                   | push                edi
            //   e8????????           |                     
            //   c645fc20             | mov                 byte ptr [ebp - 4], 0x20

        $sequence_7 = { c7450800000000 8945fc 3b560c 7785 8bd8 8b461c 8b4810 }
            // n = 7, score = 400
            //   c7450800000000       | mov                 dword ptr [ebp + 8], 0
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   3b560c               | cmp                 edx, dword ptr [esi + 0xc]
            //   7785                 | ja                  0xffffff87
            //   8bd8                 | mov                 ebx, eax
            //   8b461c               | mov                 eax, dword ptr [esi + 0x1c]
            //   8b4810               | mov                 ecx, dword ptr [eax + 0x10]

        $sequence_8 = { 83c604 8d4db8 56 51 e8???????? }
            // n = 5, score = 400
            //   83c604               | add                 esi, 4
            //   8d4db8               | lea                 ecx, dword ptr [ebp - 0x48]
            //   56                   | push                esi
            //   51                   | push                ecx
            //   e8????????           |                     

        $sequence_9 = { 68e9fd0000 ff15???????? 8bd8 53 e8???????? 83c404 837d1c08 }
            // n = 7, score = 400
            //   68e9fd0000           | push                0xfde9
            //   ff15????????         |                     
            //   8bd8                 | mov                 ebx, eax
            //   53                   | push                ebx
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   837d1c08             | cmp                 dword ptr [ebp + 0x1c], 8

    condition:
        7 of them and filesize < 1076224
}
Download all Yara Rules