Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Thousands of Industrial Systems Targeted With New ‘PseudoManuscrypt’ Spyware

Tens of thousands of devices around the world, including many industrial control systems (ICS) and government computers, have been targeted in what appears to be an espionage campaign that involves a new piece of malware dubbed PseudoManuscrypt, Kaspersky revealed on Thursday.

Tens of thousands of devices around the world, including many industrial control systems (ICS) and government computers, have been targeted in what appears to be an espionage campaign that involves a new piece of malware dubbed PseudoManuscrypt, Kaspersky revealed on Thursday.

The attacks targeted 35,000 devices in 195 countries between January and November 2021, including devices housed by high-profile organizations. Roughly seven percent of the targets were ICS, with the engineering and building automation sectors being most impacted. Attacks were also aimed at military industrial enterprises and research laboratories.

In many cases, the attackers targeted engineering computers, including devices used for 3D and physical modeling, which led Kaspersky researchers to believe that the goal may be industrial espionage. However, the company noted that the number of victims is large and it could not determine a clear focus on a specific type of industrial organization.

Nearly one-third of the non-ICS devices targeted in this campaign were located in Russia, India and Brazil. As for ICS, the highest percentage of targets was observed in India, Vietnam and Russia.

PseudoManuscrypt malware targeting ICS

Kaspersky has dubbed the new spyware PseudoManuscrypt due to similarities to the Manuscrypt malware used by the North Korea-linked Lazarus group in attacks on the defense industry.

On the other hand, the malware uses the KCP protocol to connect to its command and control (C&C) server. The KCP protocol, whose use by malware is uncommon, has also been leveraged by the China-linked threat group APT41 in its attacks on industrial organizations.

The malware samples also contain comments written in Chinese, the malware connects to a cloud storage service offered by Chinese company Baidu, and the threat specifies Chinese as the preferred language when connecting to its C&C server.

However, Kaspersky said it cannot definitively link the PseudoManuscrypt campaign to Lazarus or any other known threat group.

The malware can steal VPN credentials, log keystrokes, capture the content of the screen (both images and video), record sound captured by the microphone, and steal clipboard and OS event log data.

PseudoManuscrypt has been distributed using pirated software installer archives — including ones related to ICS software — likely delivered by a malware-as-a-service platform. In some cases, the malware was delivered by the Glupteba botnet.

“Despite collecting and analyzing a large amount of data, it seems to us that many of our findings remain unexplained and do not fit any known schemes,” Kaspersky said. “Thus, we cannot say for certain whether the campaign is pursuing criminal mercenary goals or goals correlating with some governments’ interests.”

Related: Mac Malware Used in Attacks Targeting Industrial Organizations in Middle East

Related: Hundreds of Industrial Organizations Received Sunburst Malware in SolarWinds Attack

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.

Register

Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.

Register

Expert Insights

Related Content

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...