PseudoManuscrypt, a mysterious massive cyber espionage campaign

Tens of thousands of devices worldwide, including many industrial control systems (ICS), have been hit by the PseudoManuscrypt spyware.

Kaspersky researchers reported that tens of thousands of devices belonging to industrial and government organizations worldwide have been hit by the PseudoManuscrypt spyware.

The name PseudoManuscrypt comes from the similarities with the Manuscrypt malware used by the North Korea-linked Lazarus APT group in attacks aimed at the defense industry.

The experts revealed that at least 7.2% of all systems targeted by the PseudoManuscrypt malware are part of industrial control systems (ICS) used by organizations in multiple industries, including Engineering, Building Automation, Energy, Manufacturing, Construction, Utilities, and Water Management.

The malware had attacked at least 35,000 systems in 195 countries between January and November 2021 which is uncommon for targeted attacks carried out by nation-state actors.

The PseudoManuscrypt loader is delivered via a Malware-as-a-Service (MaaS) platform that distributes the malicious code in pirated software installer archives. Experts also observed the spyware distributed via the Glupteba botnet.

PseudoManuscrypt supports a broad range of spying capabilities, such as stealing VPN connection data, logging keypresses, capturing screenshots and videos of the screen, recording sound with the microphone, stealing clipboard data and operating system event log data (which also makes stealing RDP authentication data possible), and much more.

Nearly a third (29.4%) of non-ICS computers targeted by the malware are located in Russia (10.1%), India (10%), and Brazil (9.3%), while most of the ICS hit by the spyware was in India, Vietnam and Russia.

The spyware uses the KCP protocol to connect to the C2 server, which is uncommon for malware. In the past, the KCP protocol has been used by the China-linked APT41 in its attacks on industrial organizations.

The researchers also noticed that the malware samples also contain comments written in Chinese and that the spyware connects to the Baidu cloud storage service.

The PseudoManuscrypt sets Chinese as the preferred language when contacting the C&C server.

“Despite collecting and analyzing a large amount of data, it seems to us that many of our findings remain unexplained and do not fit any known schemes. Thus, we cannot say for certain whether the campaign is pursuing criminal mercenary goals or goals correlating with some governments’ interests. Nevertheless, the fact that attacked systems include computers of high-profile organizations in different countries makes us assess the threat level as high.” concludes the report. “The large number of engineering computers attacked, including systems used for 3D and physical modeling, the development and use of digital twins raises the issue of industrial espionage as one of the possible objectives of the campaign.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, PseudoManuscrypt)

[adrotate banner=”5″]

[adrotate banner=”13″]