Posted on December 30, 2021 at 10:10 AM
Researchers have discovered a new malware known as “PseudoManuscrypt.” The malware has received this name due to having similar features to the Lazarus Manuscrypt malware. The newly discovered malware comes with the capabilities of spying on users.
The malware has targeted government institutions and other private institutions across different industries.
Researchers detect malware with spying capabilities
Cybercriminals usually focus their spying techniques on industrial organizations. These organizations are targeted for financial purposes and to gather intelligence that can be used for targeted attacks in the future.
In 2021, there was a significant increase in the industrial organizations targeted by notable APT groups, including APT41 and Lazarus. Recently, a report from Kaspersky detected a new form of malware that had similar features to the Lazarus Manuscrypt custom malware. The latter is used by the Threat Needle hacking group to launch campaigns targeting the defence sector.
Between January 20 and November 10, 2021, Kaspersky noted that its platform had blocked the PseudoManuscrypt on over 35,000 devices in 195 countries. Most of the targeted devices during this campaign belonged to industrial and government bodies. Research organizations and military bodies were targeted during the campaign.
Furthermore, around 7.2% of the targeted computers were linked to industrial control systems (ICS). The most affected industrial organizations were engineering and building automation.
The PseudoManuscrypt malware is installed on the systems of the targeted devices through a fake pirated software installer. Most of the time, the installed software is specific to the ICS.
The most likely instance is that the fake installers are accessible through a Malware-as-a-Service (MaaS). In several instances, the malware was deployed using the Glupteba botnet. Once the device has been infected, an infection chain will be executed to download the malicious module.
The researchers at Kaspersky noted that two variants of the module had been deployed, with the two having the ability to spy on users through logging keystrokes, copying data from the clipboard, stealing authentication details from the VPN, stealing connection data and copying screenshots.
The forensics on these attacks does not show that the attackers preferred certain industries. However, the extent to which the threat actors went to attack engineering companies shows that the aim of the attack could be industrial espionage.
The data analysis further shows that some victims of this new malware were also victims of the Lazarus campaign. The data obtained during the breach is sent to the attackers’ servers over a unique protocol through a library that was initially used in the APT41 malware.
The report from Kaspersky has not attributed the campaign to the Lazarus group or any other APT threat actor. Vyacheslav Kopeytsev, a security expert from Kaspersky, noted that “this is a highly usual campaign, and we are still piecing together the various information we have. However, one fact is clear: this is a threat that specialists need to pay attention to.”
“It has been able to make its way onto thousands of ICS computers, including many high-profile organizations. We will be continuing our investigations, keeping the security community apprised any new findings,” the researcher adds.
Kaspersky offers several recommendations
The Kaspersky researchers have given several recommendations to those that want to stay safe from this malware. The researchers have urged organizations to install advanced protection mechanisms on their servers and workstations.
Moreover, the researchers have also stated that organizations need to analyze all the components of their network’s endpoints and ensure they are powered on their systems. It also urges these organizations to have a working policy that requires an administrator password of the software to be disabled.
Additionally, these organizations also need to restrict the access of their networks to platforms such as VPNs. Blocking the connections of such networks on the ports that are not needed can help to boost the continuity of the network and boost safety.
Another recommendation to guarantee safety includes using a smart code to server as a multi-factor authentication step. This will be used when connecting to VPN networks. Training employees on online safety can also boost the enterprise’s security because it will guarantee that the communication channels are secured.
Employees should also be restricted to performing various functions exclusively using a local administrator or a domain administrator. Using Managed Detection and Response class services can also be used to acquire access to a high level of knowledge and the services of expert security personnel.
Finally, organizations are advised to employ a dedicated protective measure on their shop-floor systems. Such systems will protect the organization’s endpoints and allow the OT network to monitor, identify and block malicious activity.