New malware has targeted more than 35,000 computers in 195 countries – a large-scale spyware attack. Kaspersky cybersecurity experts explain it well.
Cybersecurity: Kaspersky warns us about a new spyware campaign
It’s only been a few days since we learned of a phishing attack involving even the last Spider-Man movie. Today the news concerns a large-scale indiscriminate campaign. In fact, from 20 January to 10 November 2021, the cybersecurity experts of Kaspersky they discovered new malware that they targeted more than 35,000 computers in 195 countries. Nicknamed “NicknameManuscryptDue to similarities with APT Lazarus group’s Manuscrypt malware, this new malware possesses advanced spying capabilities and has targeted both government organizations and industrial control systems (ICS) in several industries. Military organizations and research laboratories were also identified among the objectives. 7.2% of the computers attacked by the spyware campaign were part of industrial control systems (ICS), and the industries most affected were engineering and home automation.
Initially, the download of PseudoManuscrypt took place on the victims’ systems via fake pirated software installers, some of which are specific to ICS software. These rogue installers are likely to be offered via a Malware-as-a-Service (MaaS) platform. In some cases, PseudoManuscrypt was installed via the well-known Glupteba botnet. After the initial infection, a complicated chain of infections was initiated which led to the download of the main malicious module. Kaspersky experts have identified two variants of this module.
Both are capable of offering advanced spyware features, including logging keystrokes, copying information from the clipboard, stealing VPN (and potentially RDP) authentication credentials, login credentials, screenshots, and more. The attacks show no particular preference for specific industries, however, the large number of computers attacked in the engineering sector, including systems used for 3D and physical modeling and digital twins, suggests that industrial espionage could be one of the targets.
An atypical spyware campaign according to experts
Oddly, some of the victims are tied to the objectives of the Lazarus campaign as previously noted by ICS CERT. The data is sent to the attacker’s server over a rare protocol that uses a library previously used only with APT41 malware. However, taking into account the large number of victims and the lack of explicit focus, Kaspersky does not link the campaign to Lazarus or any other known APT threat actors.
“This is a very unusual campaign. We are still collecting the various information we have available. However, one thing is clear: this is a threat that experts need to watch out for. It has been able to reach thousands of ICS computers, including many high profile organizations. We will continue our investigations, keeping the security community informed of any new findings “,commented Vyacheslav Kopeytsev, Kaspersky security expert.
Kaspersky’s tips for protecting yourself
To protect against PseudoManuscrypt, cybersecurity experts recommend:
- Install endpoint security software on all servers and workstations.
- Verify that all endpoint security components are enabled on all systems and that a policy is in place that requires the administrator password to be entered in case someone attempts to disable the software.
- Verify that Active Directory policies include restrictions on user attempts to log into systems. Users should be allowed to access only the systems they need to perform their job duties.
- Restrict network connections, including VPN, between systems on the OT network; block connections on all ports that are not necessary for the continuity and safety of operations.
- Use smart cards (tokens) or one-time codes as two-factor authentication when establishing a VPN connection. Whenever possible, use Access Control List (ACL) technology to restrict the list of IP addresses from which a VPN connection can be initiated.
- Train company employees on cybersecurity when working with the internet, email and other communication channels.
- Use accounts with local administrator and domain administrator privileges only when necessary to perform your job duties.
- Consider using services such as Managed Detection and Response to gain quick access to high-level knowledge and the experience of security professionals.
- Use dedicated protection for shop floor control systems.
Leave a Reply
View Comments