In June 2021, our specialists discovered new malware called PseudoManuscrypt. They didn’t go out hunting specifically for it; our standard antivirus engine detected the malicious files, which were similar to known malware.
Why PseudoManuscrypt is dangerous
PseudoManuscrypt’s methods are fairly standard for spyware. It starts with a keylogger, grabbing information about established VPN connections and saved passwords. It also regularly steals clipboard contents, records sound using the built-in microphone (if the computer has one), and conducts a general analysis of the compromised system. One variant can also steal the credentials of QQ and WeChat messengers, capture images, and write captured images to video files. Then it sends the data to the attackers’ server. It also includes a tool for disabling security solutions.
None of the above is weird or surprising. It’s PseudoManuscrypt’s infection mechanism that makes it interesting. For the technical details of the attack and indicators of compromise, see our ICS CERT report.
Origin of the name
Our experts found some similarities between the new attack and the already known Manuscrypt campaign, but analysis revealed that a completely different actor, the APT41 group, had previously used part of the malware code in its attacks. We have yet to establish responsibility for the new attack, and for now we’re calling it PseudoManuscrypt.
Such problems of identification are interesting as such, and they are usually related to attempts by one group of attackers to pose as another threat actor. In general, the strategy of planting false flags is not very new.
How PseudoManuscrypt infects a system
Successful infection rests on a rather complex chain of events. The attack on a computer usually begins when the user downloads and executes a pirated key generator for popular software.
You can find PseudoManuscrypt bait by searching the Internet for a pirated “key generator” to register software. Websites that distribute malicious code matching popular queries rank high in search engine results, a metric attackers seem to monitor.
Here you can clearly see why there have been so many attempts to infect industrial systems. In addition to providing keys for popular software (such as office suites, security solutions, navigation systems, and 3D first-person shooters), the attackers also offer fake cracks for professional software, including certain utilities for interacting with PLC controllers using the ModBus. The result: an abnormally high number of infections in industrial organizations (7.2% of the total).
The example in the screenshot above features software for system administrators and network engineers. Such an attack vector could provide attackers with immediate, full access to the company’s infrastructure.
The attackers also use a Malware-as-a-Service delivery mechanism, paying other cybercriminals to distribute PseudoManuscrypt. That practice gave rise to an interesting feature we found when analyzing the malicious files: Some were bundled with other malware that the victim installed as a single package. The purpose of PseudoManuscrypt is to spy, but other malicious programs seek other objectives, such as data encryption and money extortion.
Who is PseudoManuscrypt targeting?
The largest number of PseudoManuscrypt detections have occurred in Russia, India, Brazil, Vietnam, and Indonesia. Of the huge number of attempts to run malicious code, users at industrial organizations account for a significant share. Victims in this sector include managers of building automation systems, energy companies, manufacturers, construction companies, and even service providers for water treatment plants. The overwhelming majority of hacking attempts were aimed at developers of certain solutions used in industry.
Methods for defending against PseudoManuscrypt
Overall, standard malware detection and blocking tools provide effective protection against PseudoManuscrypt — but they are necessary, and they must be installed on 100% of a company’s systems. In addition, we recommend instituting policies that make disabling protection difficult.
For IT systems in industry, we also offer a specialized solution, Kaspersky Industrial CyberSecurity, which both protects computers (including specialized ones) and monitors data transfers that use specific protocols.
Also keep in mind the importance of raising personnel awareness of cybersecurity risks. You can’t totally rule out the possibility of clever phishing attacks, but you can help staff stay alert, and also educate them about the danger of installing unauthorized (and especially pirated) software on computers with access to industrial systems.