Industrial organizations are among the most attractive targets for cybercriminals in terms of both financial gain and intelligence gathering. 2021 saw well-known APT groups such as Lazarus and APT41 attack industrial establishments. While investigating another series of attacks, Kaspersky experts uncovered a new piece of malware that has some similarities to Lazarus’ “Manuscrypt”, the proprietary malware the group used in its ThreatNeedle campaign against the defense industry. That’s why the software was named PseudoManuscrypt.
From January 20 to November 10, 2021, Kaspersky products blocked PseudoManuscrypt on more than 35,000 computers in 195 countries. Most of the targets were industry and government organizations, including military-industrial enterprises and research laboratories. 7.2% of computers attacked were part of industrial control systems (ICS). Engineering and building automation represented the most affected segments.
PseudoManuscrypt is initially downloaded to the targeted system via fake anti-piracy installer archives, some of which are specific to ICS. These fake installers are likely to be offered through the Malware as a Service (MaaS) platform. Interestingly, in some cases PseudoManuscrypt is installed via the notorious Glupteba botnet. After the initial infection, a complex chain of infections is started, which downloads the main malicious module. Kaspersky experts have identified two variants of this module. Both have advanced spying capabilities, including logging keystrokes, copying data from clipboard, stealing VPN (and potentially RDP) authentication information and connection data, copying screenshots.
The attacks do not show a preference for certain industries. But the large number of hacked engineering computers, including systems used for 3D and physical modeling and digital twins, indicates that industrial espionage can be a single target.
Strangely, some of the victims seem to be linked to the victims of the Lazarus campaign that ICS CERT previously reported. The data is sent to the attackers’ server over a rare protocol with the help of a library that was previously only used with APT41’s malware. However, given the large number of victims and lack of focus, Kaspersky does not associate the campaign with Lazarus or any known APT threat actors.
Vyacheslav Kopeytsev, Security Specialist at Kaspersky, said: “This is a rather unusual campaign and we are still putting together the various information we have. But there is one clear truth: It is a threat that experts should watch out for, and thousands of ICS, including many high-profile organizations managed to hack into his computer. We will continue our investigations by keeping the security community informed of new findings.”
You can learn more about the PseudoManuscrypt campaign at ICS CERT.
Kaspersky experts advise organizations to protect themselves from PseudoManuscrypt:
- Install endpoint protection software on all servers and workstations
- Check that all endpoint protection components are enabled on systems and that policies that require an administrator password are in place in case someone tries to disable the software.
- Check that Active Directory policies contain restrictions on attempts by users to log into systems. Users should only be allowed to access systems they need to access to fulfill their job responsibilities.
- Restrict network connections, including VPN, between systems on the OT network. Block connections on all ports that are not essential for the continuity and security of operations.
- Use smart cards (tokens) or one-time codes as a second authentication factor when establishing a VPN connection. Where this is applicable, you can use Access Control List (ACL) technology to restrict the list of IP addresses from which a VPN connection can be initiated.
- Educate organization employees to work securely with the Internet, email, and other communication channels. Explain the possible consequences of downloading and playing files, especially from unverified sources.
- Use accounts with local administrator and domain administrator privileges only when necessary to fulfill job responsibilities.
- Consider using Managed Threat Detection and Response services to quickly access the expertise of high-level information and security experts.
- Use special protection for your workshops. Kaspersky Industrial CyberSecurity protects industrial endpoints and enables it to monitor the OT network to identify and block malicious activity.
36398
