Experts from Kaspersky have discovered a new strain of malware that has targeted over 35 000 computers in 195 countries.
While investigating a different series of attacks, Kaspersky found this new malware that had several similarities to “Manuscrypt”, a custom malware employed in the notorious Lazarus APT group’s ThreatNeedle campaign against the defence industry, and hence named it PseudoManuscrypt.
This latest scourge contains advanced spying capabilities and has been seen targeting government organisations as well as industrial control systems across a wide range of industries.
According to Kaspersky, threat actors often have industrial organisations in their cross hairs, as the financial gain and intelligence gathering in a successful attack is significant. Last year, the company saw a lot of interest in these types of organisations from notorious APT groups including APT41 and Lazarus.
From 20 January to 10 November last year, Kaspersky products blocked this new malware on more than 35 000 computers worldwide, discovering that many of the targets were industrial and government organisations, including military-industrial enterprises and research laboratories. Some 7.2% of attacked computers were part of industrial control systems, with engineering and building automation representing the most affected industries.
How it works
PseudoManuscrypt is initially downloaded on the victim’ systems through fake pirated software installer archives, some of which are for ICS-specific pirated software.
Kaspersky says it is likely these fake installers are offered via a malware-as-a-service platform, but in some cases it was installed via the infamous Glubteba botnet. After initial infection, a complicated infection chain is initiated which eventually downloads the main malicious module.
One fact is clear: this is a threat that specialists need to pay attention to.
Vyacheslav Kopeytsev, Kaspersky
There are two variants of this module, both of which are capable of advanced spyware capabilities, including logging keystrokes, copying data from the clipboard, stealing VPN (and potentially RDP) authentication credentials and connection data, copying screenshots, etc.
Although the attacks show no preference for any specific industry, the large number of engineering computers attacked, including systems used for 3D and physical modeling and digital twins, suggest that industrial espionage may be one objective.
Shared connections
Strangely enough, several of the victims share ties with the victims of another Lazarus campaign, and data is sent to the bad actors’ server over a rare protocol using a library that has previously only been used with APT41’s malware.
Regardless, due to the high number of victims and the lack of an explicit focus, Kaspersky does not link the campaign to Lazarus or any known APT threat actor.
Vyacheslav Kopeytsev, security expert at Kaspersky, says this is a highly unusual campaign, and the company is still piecing together the information it has.
“However, one fact is clear: this is a threat that specialists need to pay attention to. It has been able to make its way onto thousands of ICS computers, including many high-profile organisations. We will be continuing our investigations, keeping the security community apprised any new findings,” he ends.
Share