Thousands of industrial computers around the world were hit by a spyware campaign. 1,6 percent of the affected ICS computers in Germany. The malware used has similarities with Lazarus.
From mid-January to mid-November 2021, Kaspersky experts observed new malware that infected more than 35.000 computers in 195 countries. The 'PseudoManuscrypt' malware shows similarities to the 'Manuscrypt' malware from the Advanced Persistent Threat (APT) group Lazarus. It has advanced espionage capabilities and has so far been detected in attacks on government organizations and industrial control systems (ICS).
35.000 ICS computers affected
Industrial companies are among the most sought-after targets of cyber criminals - both for financial reasons and because they have a lot of information to offer. This year, APT groups such as Lazarus and APT41 showed a keen interest in industrial companies. When investigating a number of attacks, the Kaspersky experts found a new piece of malware that bears certain similarities to the Lazarus Manuscrypt malware, which was used against the defense industry as part of the group's ThreatNeedle campaign. The name PseudoManuscrypt is therefore based on the similarity of the two campaigns.
Infection with PseudoManuscrypt
PseudoManuscrypt is initially downloaded onto the target person's systems via fake installation archives for pirated software, some of which are intended for ICS-specific pirated copies. These fake installers are likely offered via a Malware-as-a-Service (MaaS) platform, but in some cases PseudoManuscrypt was also installed via the infamous Glupteba botnet. The initial infection is followed by a complicated chain of infection, which is then probably used to download the harmful main module.
The Kaspersky experts were able to identify two variants of this module, both of which have advanced spyware functions - including the logging of keystrokes, the copying of data from the clipboard, the theft of VPN (and possibly RDP) authentication and connection data as well copying screenshots.
Industry targeted by hackers and APT groups
Kaspersky products blocked PseudoManuscrypt on more than 20 computers in 10 countries between January 2021 and November 35.000, 195. Many of the targets were industrial and government organizations, including military-industrial companies and research laboratories. 7,2 percent of the attacked computers were part of industrial control systems (ICS), with the mechanical engineering and building automation sectors being hardest hit. 1,6 percent of the compromised ICS computers and 2,2 percent of the other infected computers were in Germany. The attacks show no industry preference, but the large number of technical computers affected, including systems used for 3D and physical modeling and digital twins, suggests that industrial espionage could be a target.
It is strange that some of those affected by ICS computers have connections to those affected by the Lazarus campaign, which Kaspersky's ICS CERT has already reported on. The data is sent to the attacker's server via a rare protocol that uses a library that was previously only used in the APT41 malware. However, given the large number of victims and the lack of a clear focus, Kaspersky does not associate the campaign with Lazarus or any other known APT threat actor.
More at Kaspersky.com
About Kaspersky Kaspersky is an international cybersecurity company founded in 1997. Kaspersky's in-depth threat intelligence and security expertise serve as the basis for innovative security solutions and services to protect companies, critical infrastructures, governments and private users worldwide. The company's comprehensive security portfolio includes leading endpoint protection as well as a range of specialized security solutions and services to defend against complex and evolving cyber threats. Kaspersky technologies protect over 400 million users and 250.000 corporate customers. More information about Kaspersky can be found at www.kaspersky.com/