PseudoManuscrypt malware targets ICS systems; several industrial, government organizations affected

Cybersecurity firm Kaspersky announced Thursday details about the PseudoManuscrypt malware that contained advanced spying capabilities, and likely targeted for about a year a significant number of industrial and government organizations. The firm said that it cannot say for certain whether the campaign is pursuing criminal mercenary goals or goals correlating with some governments’ interests. Though, the fact that attacked systems include computers of high-profile organizations in different countries ‘makes us assess the threat level as high.’

“According to our telemetry, at least 7.2% of all computers attacked by the PseudoManuscrypt malware are part of industrial control systems (ICS) used by organizations in various industries, including Engineering, Building Automation, Energy, Manufacturing, Construction, Utilities, and Water Management,” Kaspersky said in its latest report.

Kaspersky said that its products blocked PseudoManuscrypt malware across over 35,000 computers in 195 countries during the period beginning Jan. 1 to Nov. 10 this year. Targets of the PseudoManuscrypt attacks include a significant number of industrial and government organizations, including enterprises in the military-industrial complex and research laboratories.

About 31.5 percent of industrial systems on which the PseudoManuscrypt malware was blocked are apparently used for engineering purposes, such as developing and launching the production of various industrial products. The systems were also used for ICS development and integration in different industries, including the defense and energy sectors. “This includes computers used for 3D modeling and physical simulations, as well as computers that have software for creating ‘digital twins’ installed on them,” Kaspersky said.

In addition, about 12.5 percent of computers on which the PseudoManuscrypt malware was blocked belonged to building automation systems, including video surveillance, access control systems, and notification systems. 1.8 percent were detected in the energy sector, 2.1 percent were distributed across various manufacturing facilities, 0.7 percent were exposed in the construction sector dealing with structural engineering, 0.1 percent were identified in public utility computers, and another 0.1 percent were found in computers used in water treatment systems.

About 51.2 percent of industrial computers on which PseudoManuscrypt was blocked are general-purpose ICS, which Kasperksy is unable to link to a specific industry with sufficient confidence, according to the report.

The Kaspersky report on the PseudoManuscrypt malware comes at a time when the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has asked critical infrastructure owners and operators to take immediate steps to strengthen their computer network defenses against potential malicious cyber attacks, as preparations for the holiday season begin and in the light of persistent and ongoing cyber threats. The agency stopped short of detailing what these ongoing threats are, but given the heightened threat environment, it is most likely that they are largely referring to the Log4j code scare.

In the wake of the Log4j unauthenticated remote code execution vulnerability, all organizations have been asked to immediately patch any instances of Log4j to 2.16.0. This release fixes the issue by removing support for message lookup patterns and disabling JNDI (Java Naming and Directory Interface) functionality by default.

Kaspersky said that the PseudoManuscrypt module has extensive and varied spying functionality. It includes stealing VPN (virtual private network) connection data, logging keypresses, capturing screenshots and videos of the screen, recording sound with the microphone, stealing clipboard data, and operating system event log data which also makes stealing RDP authentication data possible. Essentially, the functionality of PseudoManuscrypt provides the attackers with virtually full control of the infected system.

Kaspersky identified that the PseudoManuscrypt loader makes its way onto a user system via complicated chains of numerous other malicious files’ installations and the creation of many different processes. These chains are diverse, but they all begin with fake pirated software installer archives. 

“It is worth noting that these archives include fake installers of ICS-specific software, such as an application designed to create a MODBUS Master Device to receive data from a PLC, as well as more general-purpose software, which is nevertheless used on OT networks, such as a key generator for a SolarWinds tool for network engineers and systems administrators,” Kaspersky said. “Resources used to distribute such installers can be found in top positions on search engine results pages. This indicates that the attackers are actively performing search-engine optimization for these resources.”

Kaspersky found that there are numerous possible variants of the execution flow of a sequence of different malicious programs leading to PseudoManuscrypt installation. “In addition to the file analyzed in this paper, malware installers download and execute numerous other malicious programs, including spyware, backdoors, cryptocurrency miners, and adware,” the post added. 

“At each stage, we detected a large number of different droppers installed and modules downloaded, with the data theft functionality duplicated in different modules and with each module using its own command-and-control servers,” according to the Moscow-headquartered company. “This could indicate that the installers are offered by threat actors via a MaaS platform, possibly to many operators of different malicious campaigns, one of which is apparently the PseudoManuscrypt distribution campaign.”

Last month, Kaspersky said that cybercriminals have made significant strides in 2021, as the list of high-profile ransomware attacks on industrial enterprises this year is probably longer than for all previous years combined. The firm expects 2022 to be tougher on ICS and industrial enterprises as signs of compromise in many organizations on computers directly related to ICS have been identified.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.