Openhunting Threat Library

Milum

Milum
(Type: Backdoor)

(Kaspersky) The malware uses the JSON format for configuration data and as a C2 communication protocol over HTTP as well. Inside the encrypted communications within the HTTP POST requests, we found several interesting fields. One of them shows the malware version – 1.0.1. A version number like this indicates an early stage of development. Other fields suggest the existence of, at the very least, plans for non-C++ versions.

[News Analysis] Trends:

Total Trend: 3

Trend Per Year
2
2020
1
2021


Trend Per Month
1
Mar 2020
1
Sep 2020
1
Jul 2021



[News Analysis] News Mention Another Threat Name:

1 - Guard7 - Milum6 - Poet RAT6 - Mailto6 - RagnarLocker6 - REvil6 - Ryuk6 - Snake


[TTP Analysis] Technique Performance:



[TTP Analysis] Mitre Attack Matrix:

TA0043 TA0042 TA0001 TA0002 TA0003 TA0004 TA0005 TA0006 TA0007 TA0008 TA0009 TA0011 TA0010 TA0040
Reconnaissance Resource Development Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact


[Infrastructure Analysis] Based on Related IOC:

IP:Port Timestamp
Domain Timestamp
URL Timestamp


[Target Analysis] Region/Sector:

No information


References:

News Basic Information Indicator of Compromise Mitre Attack

News Article (Credit @Malpedia)

WildPressure targets the macOS platform

2021-07-07 by Denis Legezo from Kaspersky

Threat landscape for industrial automation systems - H1 2020

2020-09-24 by Kaspersky Lab ICS CERT from Kaspersky Labs

WildPressure targets industrial-related entities in the Middle East

2020-03-24 by Denis Legezo from Kaspersky Labs

Basic Information (Credit @etda.or.th)

Tool: Milum

Names: Milum

Description: (Kaspersky) The malware uses the JSON format for configuration data and as a C2 communication protocol over HTTP as well. Inside the encrypted communications within the HTTP POST requests, we found several interesting fields. One of them shows the malware version – 1.0.1. A version number like this indicates an early stage of development. Other fields suggest the existence of, at the very least, plans for non-C++ versions.

Category: Malware

Type: Backdoor

Information: https://securelist.com/wildpressure-targets-industrial-in-the-middle-east/96360/

Malpedia: https://malpedia.caad.fkie.fraunhofer.de/details/win.milum

Last-card-change: 2021-04-24

Source: https://apt.etda.or.th/cgi-bin/listtools.cgi

TA0043 TA0042 TA0001 TA0002 TA0003 TA0004 TA0005 TA0006 TA0007 TA0008 TA0009 TA0011 TA0010 TA0040
Reconnaissance Resource Development Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact