Security researchers detected a new mass malware campaign associated with the previously known Manuscrpypt loader, which is part of Lazarus APT group arsenal. The discovery comes from Kaspersky’s Secure List.
“Curiously, the data exfiltration channel of the malware uses an implementation of the KCP protocol that has previously been seen in the wild only as part of the APT41 group’s toolset. We dubbed the newly-identified malware PseudoManuscrypt,” Secure List researchers said.
What Is PseudoManuscrypt Malware?
The newly detected malware loader uses a MaaS (malware-as-a-service) platform to distribute its malicious payloads in pirated software installer archives. One way the malware distribute itself onto a system is via the well-known Glupteba botnet. Since both Glupteba and PseudoManuscrypt rely on pirated software to propagate, the researchers believe that the campaign is not targeted and is rather large-scale.
From January 2020 to November 10 2021, more than 35,000 instances of the malware were blocked on computers worldwide. It should be noted that this type of attack is not typical for the Lazarus APT group, mostly known for its targeted attacks.
Who is targeted? Targets of PseudoManuscrypt malware include a large of industrial and government organizations, such as enterprises in the military-industrial complex and research laboratories, the report said.
Telemetry reveals that at least 7.2% of all machines compromised by the PseudoManuscrypt malware are part of industrial control systems (ICS) that organizations use in various industries, such as Engineering, Building Automation, Energy, Manufacturing, Construction, Utilities, and Water Management.
What’s the purpose of PseudoManuscrypt? The main malware module seems to be designed for extensive spyware functionalities. It is capable of harvesting VPN connection data, logging keystrokes, capturing screenshots and videos, recording sound with the microphone, stealing clipboard data and OS event log data, among others. In a nutshell, attackers can have full control of the compromised system.
FinSpy Is Another Highly Capable Spyware
In September 2021, another highly capable spyware was detected in the wild by Kaspersky. The researchers had been tracking FinSpy’s development since 2011, with an unexplainable decrease in its detection rate for Windows in 2018. This is when the team started detecting suspicious installers of legitimate applications, backdoored with a relatively small obfuscated downloader.
FinSpy has been described as a highly-modular spyware, that has a lot of work put into in. The threat actors behind it have gone to extreme lengths to make it inaccessible to security researchers. This effort is both worrying and impressive. Equal amount of effort has been put in obfuscation, anti-analysis, and the trojan itself.