Full Report
Kaspersky products blocked PseudoManuscrypt on more than 35,000 computers in 195 countries of the world. Targets of attacks include a significant number of industrial and government organizations, including enterprises in the military-industrial complex and research laboratories.
Analysis Summary
# Incident Report: PseudoManuscrypt Spyware Campaign
## Executive Summary
PseudoManuscrypt is a high-volume spyware campaign that affected over 35,000 systems globally, targeting industrial enterprises, research laboratories, and government entities. The malware is characterized by its complex multi-stage delivery system and its ability to steal sensitive data, including VPN credentials and keystrokes. While the campaign shares technical overlaps with the APT group Lazarus (Manuscrypt), its massive scale and distribution methods suggest a unique, large-scale operational profile.
## Incident Details
- **Discovery Date:** June 2021 (Initiation of deep analysis)
- **Incident Date:** Active from at least January 2021 through late 2021
- **Affected Organizations:** 35,000+ computers; identified targets include military-industrial enterprises and energy sectors.
- **Sector:** Industrial (ICS/OT), Government, Research, and Military.
- **Geography:** Global (195 countries); highest concentrations in Russia, India, Brazil, and Vietnam.
## Timeline of Events
### Initial Access
- **Date/Time:** Ongoing throughout 2021.
- **Vector:** Malicious installers for pirated software (warez) and cracked versions of professional engineering tools.
- **Details:** Attackers integrated malware into installers for software like Windows 10, Microsoft Office, and specialized tools like AutoCAD or SolarWinds Orion.
### Lateral Movement
- **Technique:** Use of the Remcos RAT and Muchele malware modules.
- **Details:** Once the initial system was compromised, the malware utilized built-in modules to capture credentials and navigate internal networks, often leveraging compromised VPN configurations.
### Data Exfiltration/Impact
- **Details:** The malware captured keystrokes, clipboard data, and system metadata. It specifically targeted credentials stored in browsers and VPN clients, exfiltrating the data to Command and Control (C2) servers via KCP protocol.
### Detection & Response
- **How discovered:** Unusual activity detected by Kaspersky’s automated telemetry in ICS environments.
- **Response actions:** Kaspersky ICS CERT conducted a deep dive into the botnet, identifying the infrastructure and notifying affected parties through global security channels.
## Attack Methodology
- **Initial Access:** Distribution via "Malware-as-a-Service" platforms and cracked software installers.
- **Persistence:** Addition of registry keys and installation as a system service with high privileges.
- **Privilege Escalation:** Exploitation of system vulnerabilities and execution of installers with administrative rights provided by the user.
- **Defense Evasion:** Use of multi-stage unpacking, disabling of antivirus solutions, and the use of the KCP protocol to hide C2 traffic.
- **Credential Access:** Extraction of saved passwords from web browsers and harvesting of VPN connection profiles.
- **Discovery:** System reconnaissance including computer name, username, and installed software lists.
- **Lateral Movement:** Execution of remote shells and potential manual intervention using Remcos RAT.
- **Collection:** Keylogging, screen capturing, and clipboard monitoring.
- **Exfiltration:** Data sent to C2 over UDP using custom encrypted packets (KCP).
- **Impact:** Massive theft of intellectual property and potential for future sabotage via compromised remote access.
## Impact Assessment
- **Financial:** Significant potential loss regarding unlicensed software risks and intellectual property theft.
- **Data Breach:** High volume of sensitive credentials and internal system diagrams (from AutoCAD targets) compromised.
- **Operational:** Potential for long-term presence in industrial control systems, enabling future operational disruption.
- **Reputational:** High impact for government and military contractors due to sensitive data leaks.
## Indicators of Compromise
- **Network Indicators:**
- 112[.]73[.]20[.]180 (C2 Server)
- 117[.]147[.]118[.]169 (C2 Server)
- topnews[.]ignorelist[.]com (C2 Domain)
- **File Indicators:**
- MD5: 1256338e5d0d8694037599723ecdbf7a (Main Loader)
- MD5: a73f982782b1c7dc413642398547dec4 (Spyware Module)
- **Behavioral Indicators:** Execution of `cmd.exe` to disable local firewalls; unusual UDP traffic on high ports (KCP protocol).
## Response Actions
- **Containment:** Blocking of known C2 IP addresses and domains at the perimeter.
- **Eradication:** Removal of malicious services and registry keys; full system wipes for compromised ICS engineering stations.
- **Recovery:** Restoration of systems from clean backups and mandatory password resets for all corporate and VPN accounts.
## Lessons Learned
- **Shadow IT Risks:** The use of pirated or "cracked" software in professional and industrial environments remains a primary entry point for sophisticated spyware.
- **Evasion Techniques:** Attackers are increasingly using niche protocols (like KCP) to bypass standard traffic analysis tools.
- **Targeting Complexity:** High-level APT targets (military/research) can be reached through low-level "mass" delivery methods (warez).
## Recommendations
- **Policy Enforcement:** Strictly prohibit the installation of unlicensed/cracked software, especially on systems with access to ICS/OT environments.
- **Monitoring:** Implement behavior-based detection to identify unauthorized credential harvesting from browsers/VPNs.
- **Network Segmentation:** Ensure engineering workstations are segmented from the general internet to prevent direct C2 communication.
- **Audit:** Regularly audit VPN logs for anomalous login patterns following the discovery of such campaigns.