A new malware called PseudoManyscrypt has been observed attacking industrial and government organizations including enterprises in the military-industrial complex and research laboratories.
The name is derived from its similarities to the Manuscrypt malware which is part of trhe Lazarus APT groups attack toolset and the series of intrusion was first detected in June 2021.
It has also been observed that at least 7.2% of all computers attacked by the malware are part of industrial control systems (ICS) used by organizations in engineering, building automation, energy, manufacturing, construction, utilities and water management sectors located mainly in India, Vietnam and Russia and 29.4% of non-ICS computers are situated in Russia (10.1%), India (10%), and Brazil (9.3%).
Using a MaaS platform, the PseudoManuscrypt loader makes its way onto users systems and the malware is distributed in pirated software installer archives. PseudoManuscrypts’ downloaders distribution has been observed to be installed via the Glupteba botnet. Glupteba has also taken a significant hit after Google earlier this month disclosed that it acted to dismantle the botnets infrastructure
The pirated software installations are driven by a method called search poisoning in which the attackers create malicious websites and use search engine optimization (SEO) tactics to make them show up prominently in search results.
PseudoManuscrypt comes with intrusive capabilities allowing the attacker to take full control of the infected system. This malware disables antivirus solutions, steals VPN connection data, logs keystrokes and intercepts data stored in the clipboard.
Kaspersky noted it has identified 100 different versions of the PseudoManuscrypt loader, with the earliest test variants dating back to March 27, 2021. Components of the trojan have been borrowed from commodity malware like Fabookie and a KCP protocol library employed by the China-based APT41 group for sending data back to the attackers’ command-and-control (C2) servers.
The malware samples analyzed by the ICS CERT also featured comments written in Chinese and were found specifying Chinese as the preferred language when connecting to the C2 server, but these clues alone have been inconclusive to make an assessment about the malware’s operators or their origins. Also unclear are the ultimate goals of the campaign, raising questions as to whether the attacks are financially motivated or state-backed.