Mass spyware campaign targets thousands of ICS computers – GlobeNewswire

Woburn, MA, Dec. 16, 2021 (GLOBE NEWSWIRE) — From January to November 2021, Kaspersky experts uncovered a new piece of malware that has targeted more than 35,000 computers across 195 countries. Dubbed “PseudoManuscrypt” for its similarities with the advanced persistent threat (APT) group Lazarus’ Manuscrypt malware, this new malware contains advanced spying capabilities and has been seen targeting both government organizations and industrial control systems (ICS) across numerous industries.  

Industrial organizations are some of the most coveted targets for cybercriminals both for financial gain and intelligence gathering. In fact, 2021 saw significant interest in industrial organizations from well-known APT groups like Lazarus and APT41. While investigating another string of attacks, Kaspersky experts uncovered a new piece of malware with some similarities to Lazarus’ “Manuscrypt”, custom malware used in the group’s ThreatNeedle campaign against the defense industry and dubbed it PseudoManuscrypt.

From January 20 to November 10, 2021, Kaspersky products blocked PseudoManuscrypt on more than 35,000 computers in 195 countries. Many of the targets were industrial and government organizations including military-industrial enterprises and research laboratories. 7.2% of attacked computers were part of industrial control systems (ICS), with engineering and building automation representing the most affected industries. 

PseudoManuscrypt is initially downloaded on targets’ systems via fake pirated software installer archives, some of which are for ICS-specific pirated software. It is likely these fake installers are offered via a Malware-as-a-Service (MaaS) platform. Curiously, in some cases, PseudoManuscrypt was installed via the infamous Glupteba botnet. After initial infection, a complicated infection chain is initiated that eventually downloads the main malicious module. Kaspersky experts have identified two variants of this module. Both are capable of advanced spyware capabilities, including logging keystrokes, copying data from the clipboard, stealing VPN (and potentially RDP) authentication credentials and connection data, copying screenshots, etc.

The attacks show no preference for particular industries, however the large number of engineering computers attacked, including systems used for 3D and physical modeling and digital twins, suggest that industrial espionage may be one objective.

Oddly enough, some of the victims share ties with the victims of the Lazarus campaign ICS CERT previously reported on, and data is sent to the attackers’ server over a rare protocol using a library that has previously only been used with APT41’s malware. Nevertheless, given the large number of victims and the lack of an explicit focus, Kaspersky does not link the campaign to Lazarus or any known APT threat actor.

“This is a highly unusual campaign, and we are still piecing together the various information we have,” comments Vyacheslav Kopeytsev, security expert at Kaspersky. “However, one fact is clear: this is a threat that specialists need to pay attention to. It has been able to make …….

Source: https://www.globenewswire.com/news-release/2021/12/16/2353713/0/en/Mass-spyware-campaign-targets-thousands-of-ICS-computers-around-the-world.html