A new spyware has been tracked by researchers, who have dubbed it “PseudoManuscrypt”. It has targeted 35,000 computers in over 195 countries, making it a truly global threat.
Kaspersky researchers said that from 20th January 2021 to 10th November 2021, the cyber criminals behind the campaign were targeting government organisations and industrial control systems (ICS) across a range of industries, including engineering, building automation, energy, manufacturing, construction, utilities and water management. At least 7.2% of all attacked computers are part of this group.
Manuscrypt, aka NukeSped, is a family of malware tools that have been used in espionage campaigns in the past. An example of this was a February spear-phishing campaign linked to a prolific North Korean APT, Lazarus, that used the Manuscrypt malware family’s ‘ThreatNeedle’ tool to attack companies. The operators behind PseudoManuscrypt are using fake pirated software installer archives to initially download the spyware onto the systems targeted.
Researchers noted that the fake installers are for “ICS-specific software, such as an application designed to create a MODBUS Master Device to receive data from a PLC [programmable logic controller], as well as more general-purpose software, which is used on OT networks, such as a key generator for a SolarWinds tool for network engineers and systems administrators.”
Researchers suspect that threat actors are getting the fake installers from a malware-as-a-service (MaaS) platform, that is providing them to operators of multiple malicious campaigns, not just this widely dispersed PseudoManuscrypt campaign. However, Kaspersky also found listings for fake installers, discovered via a Google search.
Kaspersky outlined two variants of the module, both of which are outfitted with advanced spyware capabilities. One version rode in via the infamous Glupteba botnet: a hard to remove, 1 million-strong botnet of compromised Windows and internet of things (IoT) devices that Google’s Threat Analysis Group (TAG) disrupted earlier this month. The tie-in with Glupteba is a clue that PseudoManuscrypt’s could have originated on a MaaS platform, given that the botnet’s main installer “is also distributed via the pirated software installer distribution platform.”
PseudoManuscrypt’s main module has a full tool kit for spying, giving it the ability to:
- Steal VPN connection data
- Log keystrokes
- Grab screenshots and take screen videos
- Use a system’s microphone to eavesdrop and record sound
- Filch clipboard data
- Steal OS event log data – which also makes it possible to steal Remote Desktop Protocol (RDP) authentication data.
Researchers added: “Essentially, the functionality of PseudoManuscrypt provides the attackers with virtually full control of the infected system.” Kasperskiy’s ICS-CERT team first detected the PseudoManuscrypt series of attacks in June, when the malware triggered anti-virus detection designed to spot Lazarus activity. It was via this method that Kaspersky subsequently found similarities between the new PseudoManuscrypt and Lazarus’s Manuscrypt malware.
The PseudoManuscrypt malware loads its payload from the system registry and decrypts it, researchers explained, with the payload using a registry location that’s unique to each infected system. Researchers said: “Both malicious programs load a payload from the system registry and decrypt it; in both cases, a special value in the CLSID format is used to determine the payload’s location in the registry – the executable files of both malicious programs have virtually identical export tables.”
This news is obviously concerning, and Neuways advises users to be aware of any received communications. One slip-up and a successful installation could cause no end of problems for businesses, with cyber criminals clearly possessing the ability to watch their activities, and as a result, exploit companies through the exfiltration of company data and information.