According to Kaspersky researchers, the name stems from its resemblance to the Manuscrypt virus which is part of the Lazarus APT group’s attack arsenal. The operation is described as a “mass-scale spyware assault campaign. The Russian cybersecurity firm reported that The attacks were first discovered in June 2021.
Between January 20 and November 10, 2021, Kaspersky products successfully stopped PseudoManuscrypt on over 35,000 PCs in 195 countries. The Lazarus gang or APT attacks in general, do not typically target such a vast number of computers.
At least 7.2 percent of the machines infected by the virus are part of industrial control systems (ICS) used by enterprises in engineering, building automation, energy, manufacturing, construction, utilities, and water management sectors that are situated predominantly in India, Vietnam, and Russia. Russia (10.1 percent), India (10 percent), and Brazil account for over a third (29.4%) of non-ICS PCs (9.3 percent ).
Kaspersky ICS CERT teamSaid that , “the PseudoManuscrypt loader gets onto user systems through a MaaS platform that distributes malware in pirated software installation packages.The installation of the PseudoManuscrypt downloader via the Glupteba botnet is one unique scenario of its distribution.”
Coincidentally, Glupteba’s operations have suffered a significant setback after Google announced earlier this month that it had taken steps to dismantle the botnet’s infrastructure and was pursuing legal action against two Russian nationals, as well as 15 other unnamed individuals, who are alleged to have managed the malware.
Windows 10, Microsoft Office, Adobe Acrobat, Garmin, Call of Duty, SolarWinds Engineer’s Toolset, and even Kaspersky’s own antivirus solution are among the cracked installers used to fuel the botnet. The attackers use a technique known as search poisoning, in which they establish malicious websites and use search engine optimization (SEO) techniques to make them appear prominently in search results.
PseudoManuscrypt comes with a lot of unwanted features that provide the attackers complete control over the infected system after it’s been installed. Disabling antivirus software, stealing VPN connection data, logging keystrokes, recording audio, capturing screenshots,videos of the screen and intercepting data on the clipboard are all examples of this.
The malware samples analysed by the ICS CERT also included Chinese-language remarks and specified Chinese as the preferred language when connecting to the C2 server, but these signals were insufficient to establish a determination regarding the virus’s operators or sources. The campaign’s ultimate goals are also unclear, raising suspicions about whether the attacks are financially driven or state-sponsored.
Finally the researchers concluded that ,“The high number of engineering computers attacked, including systems used for 3D and physical modelling, as well as the production and deployment of digital twins, enhances the possibility of industrial espionage.”