SYMBOLCOMMON_NAMEaka. SYNONYMS
win.milum (Back to overview)

Milum


In August 2019, Kaspersky Labs discovered a malware they dubbed Milum (naming based on internal file name fragments) when investigating an operation they named WildPressure. It is written in C++ using STL, primarily to parse JSON. Functionality includes bidirectional file transmission and remote command execution.

References
2020-09-24Kaspersky LabsKaspersky Lab ICS CERT
@techreport{cert:20200924:threat:2d7986d, author = {Kaspersky Lab ICS CERT}, title = {{Threat landscape for industrial automation systems - H1 2020}}, date = {2020-09-24}, institution = {Kaspersky Labs}, url = {https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf}, language = {English}, urldate = {2020-10-04} } Threat landscape for industrial automation systems - H1 2020
Poet RAT Mailto Milum RagnarLocker REvil Ryuk Snake Ransomware
2020-03-24Kaspersky LabsDenis Legezo
@online{legezo:20200324:wildpressure:add6905, author = {Denis Legezo}, title = {{WildPressure targets industrial-related entities in the Middle East}}, date = {2020-03-24}, organization = {Kaspersky Labs}, url = {https://securelist.com/wildpressure-targets-industrial-in-the-middle-east/96360/}, language = {English}, urldate = {2020-03-26} } WildPressure targets industrial-related entities in the Middle East
Milum
Yara Rules
[TLP:WHITE] win_milum_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_milum_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.milum"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? c645fc14 c645fc13 8dbd0cffffff e8???????? 8bf8 c645fc15 }
            // n = 7, score = 400
            //   e8????????           |                     
            //   c645fc14             | mov                 byte ptr [ebp - 4], 0x14
            //   c645fc13             | mov                 byte ptr [ebp - 4], 0x13
            //   8dbd0cffffff         | lea                 edi, [ebp - 0xf4]
            //   e8????????           |                     
            //   8bf8                 | mov                 edi, eax
            //   c645fc15             | mov                 byte ptr [ebp - 4], 0x15

        $sequence_1 = { c745fc01000000 8d4d9c 894d94 c645fc04 895da8 ba03000000 895d9c }
            // n = 7, score = 400
            //   c745fc01000000       | mov                 dword ptr [ebp - 4], 1
            //   8d4d9c               | lea                 ecx, [ebp - 0x64]
            //   894d94               | mov                 dword ptr [ebp - 0x6c], ecx
            //   c645fc04             | mov                 byte ptr [ebp - 4], 4
            //   895da8               | mov                 dword ptr [ebp - 0x58], ebx
            //   ba03000000           | mov                 edx, 3
            //   895d9c               | mov                 dword ptr [ebp - 0x64], ebx

        $sequence_2 = { 8bf8 83c404 897dc8 c645fc0f 3bfb 7475 83ec1c }
            // n = 7, score = 400
            //   8bf8                 | mov                 edi, eax
            //   83c404               | add                 esp, 4
            //   897dc8               | mov                 dword ptr [ebp - 0x38], edi
            //   c645fc0f             | mov                 byte ptr [ebp - 4], 0xf
            //   3bfb                 | cmp                 edi, ebx
            //   7475                 | je                  0x77
            //   83ec1c               | sub                 esp, 0x1c

        $sequence_3 = { 57 ff15???????? 85c0 0f95c0 84c0 7460 }
            // n = 6, score = 400
            //   57                   | push                edi
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   0f95c0               | setne               al
            //   84c0                 | test                al, al
            //   7460                 | je                  0x62

        $sequence_4 = { ddd8 d9ee 5d c3 85c0 7809 dc0cc5e89c4600 }
            // n = 7, score = 400
            //   ddd8                 | fstp                st(0)
            //   d9ee                 | fldz                
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   85c0                 | test                eax, eax
            //   7809                 | js                  0xb
            //   dc0cc5e89c4600       | fmul                qword ptr [eax*8 + 0x469ce8]

        $sequence_5 = { bf07000000 33c9 897ddc 895dd8 66894dc8 885dfc }
            // n = 6, score = 400
            //   bf07000000           | mov                 edi, 7
            //   33c9                 | xor                 ecx, ecx
            //   897ddc               | mov                 dword ptr [ebp - 0x24], edi
            //   895dd8               | mov                 dword ptr [ebp - 0x28], ebx
            //   66894dc8             | mov                 word ptr [ebp - 0x38], cx
            //   885dfc               | mov                 byte ptr [ebp - 4], bl

        $sequence_6 = { 7506 b101 47 897db8 8a17 80fa30 0f8caa000000 }
            // n = 7, score = 400
            //   7506                 | jne                 8
            //   b101                 | mov                 cl, 1
            //   47                   | inc                 edi
            //   897db8               | mov                 dword ptr [ebp - 0x48], edi
            //   8a17                 | mov                 dl, byte ptr [edi]
            //   80fa30               | cmp                 dl, 0x30
            //   0f8caa000000         | jl                  0xb0

        $sequence_7 = { e8???????? 83f806 0f8da0000000 8b5710 83c204 52 68???????? }
            // n = 7, score = 400
            //   e8????????           |                     
            //   83f806               | cmp                 eax, 6
            //   0f8da0000000         | jge                 0xa6
            //   8b5710               | mov                 edx, dword ptr [edi + 0x10]
            //   83c204               | add                 edx, 4
            //   52                   | push                edx
            //   68????????           |                     

        $sequence_8 = { 8d8d30f0feff 51 ba???????? eb0c 8d9530f0feff 52 }
            // n = 6, score = 400
            //   8d8d30f0feff         | lea                 ecx, [ebp - 0x10fd0]
            //   51                   | push                ecx
            //   ba????????           |                     
            //   eb0c                 | jmp                 0xe
            //   8d9530f0feff         | lea                 edx, [ebp - 0x10fd0]
            //   52                   | push                edx

        $sequence_9 = { 50 c745cc70714600 e8???????? 8b7508 bf63736de0 393e 0f85a5010000 }
            // n = 7, score = 400
            //   50                   | push                eax
            //   c745cc70714600       | mov                 dword ptr [ebp - 0x34], 0x467170
            //   e8????????           |                     
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   bf63736de0           | mov                 edi, 0xe06d7363
            //   393e                 | cmp                 dword ptr [esi], edi
            //   0f85a5010000         | jne                 0x1ab

    condition:
        7 of them and filesize < 1076224
}
Download all Yara Rules