PseudoManuscrypt Malware Targeting Government and ICS Systems in 2021

A group with similar tactics, techniques and procedures to North Korea-affiliated Lazarus Group has targeted government and privacy industry computers through 2021, putting the focus on industrial control systems (ICS), security firm Kaspersky said in a December 16 brief.

As of November 10, the unassigned group had targeted more than 35,000 systems in 195 countries with malware dubbed PseudoManuscrypt by Kaspersky because its functionality resembles that of the Manuscrypt program used by Lazarus Group. Although the operation did not appear to distinguish any industry, the systems involved included computers in military industrial companies and research laboratories, with more than 7% of computers installed as part of industrial control systems.

Although the attack does not stand out for the volume of compromised systems, the number of sensitive systems should raise eyebrows, says Vyacheslav Kopeytsev, security expert at Kaspersky.

“The fact that a large number of ICS computers around the world – thousands by our telemetry alone, and in fact, quite possibly many more – have been attacked in this campaign certainly makes it a threat that deserves the utmost attention. specialists responsible for the safety and security of shop floor systems and their continued operation, ”he says.

“With the large number of engineering computers under attack, including systems used for 3D and physical modeling,” he adds, “the development and use of digital twins raises the question of espionage. industrial as one of the possible objectives of the campaign “.

For defenders, industrial control systems pose a high risk due to their vulnerability and the potential impact of an attack. Many of these systems predate and predate the growing attention over the past decade to secure design and development, leaving behind features that are essentially design vulnerabilities that can be easily manipulated by attackers. . The hijacking of the Oldsmar, Florida water treatment plant in early 2021 highlighted the possibilities of simple attacks on infrastructure that is insecure by design.

However, malware attacks, such as PseudoManuscrypt, continue to be a common way to cross computer networks and OT networks. The malware is first installed through bogus versions of allegedly pirated software, including ICS software, as well as through malware networks as a service (MaaS), according to Kaspersky’s analysis. After a complicated installation chain, the malware collects information from computers and linked devices.

“The most serious impact of this malware is the theft of confidential data – usernames and passwords, VPN connection settings, screenshots and even video recording from the screen; this is all collected by PseudoManuscrypt, ”says Kopeytsev.

The link with the Lazare group is quite weak. Lazarus Group operations have been linked to the North Korean Government’s Reconnaissance Office, and its activities overlap with APT37, APT38 and Kimsuky. In an operation dubbed ThreatNeedle, Lazarus Group used custom malware called Manuscrypt, which shares many similarities with the new malware, PseudoManuscrypt, according to additional information released by Kaspersky.

“Both malicious programs load a payload from the system registry and decrypt it,” says Kopeytsev. “The executable files of the two malware programs have virtually identical export tables. In addition, the two malware programs use similar executable file naming formats.”

Other clues to the attacker’s identity include Chinese comments in the program’s metadata, use of a library also previously used by the Chinese state-sponsored group APT41, and communications with the program’s server. command and control sent in Chinese.

“[W]We cannot say for sure whether the campaign pursues criminal mercenary goals or goals that correlate with the interests of certain governments, ”Kaspersky said in his analysis. “Nonetheless, the fact that the attacked systems include computers from leading organizations in different countries makes us assess the threat level as high.”

In the first four months of 2021, the company saw only a low level of pseudo-manuscrypt detections, but that changed in May, when more than 200 instances of the malware were detected every day. The main countries affected by the ongoing attack are Russia, India and Brazil, which account for over 30% of all computers attacked using PseudoManuscrypt. Organizations in the United States were the eighth most targeted, accounting for just 2.4% of activity.

Of the industrial systems attacked, 44% belonged to the engineering and building automation industries.

There are some common sense steps that can help businesses fight malware, even ICS-focused malware. Overall security can be improved by requiring the entry of an administrative password to disable security, and two-factor authentication can thwart credential stuffing attacks. Manufacturers, engineering companies and utilities should use dedicated security to protect their shop floor systems, Kaspersky said.