New global malware threat identified

Over 30,000 computers across 195 countries have been hit by a newly exposed spyware threat.

Global cyber security giant Kaspersky has uncovered “PseudoManuscrypt” – a new malware threat, which was blocked by the company on 35,000 computers across 195 countries between January and November 2021.

The threat contains similar features to the advanced persistent threat (APT) group Lazarus’ Manuscrypt malware.

Victims of PseudoManuscrypt reportedly include government organisations and industrial control systems across numerous industries.

Some of the impacted organisations were military-industrial enterprises and research laboratories, 7.2 per cent of attacked computers are part of industrial control systems (ICS).

Engineering and building automation represented the most affected industries.

According to Kaspersky, PseudoManuscrypt is initially downloaded on targets’ systems via fake pirated software installer archives, some of which are for ICS-specific pirated software.

The fake installers could be offered via a Malware-as-a-Service (MaaS) platform, and in some cases, installed via the Glupteba botnet.

Following initial infection, a complicated infection chain is initiated that eventually downloads the main malicious module.

VIEW ALL

Two variants of this module have been identified, both capable of advanced spyware capabilities, including logging keystrokes, copying data from the clipboard, stealing VPN (and potentially RDP) authentication credentials and connection data and copying screenshots.

Kaspersky has recommended organisations to:

install endpoint protection software on all servers and workstations;
check that all endpoint protection components are enabled on all systems and a policy is in place which requires the administrator password be entered in the event someone attempts to disable the software;
check that Active Directory policies include restrictions on user attempts to log in to systems, only allowing users to log in to those systems which they need to access to perform their job responsibilities;
restrict network connections, including VPN, between systems on the OT network; block connections on all those ports that are not required for the continuity and safety of operations;
use smart cards (tokens) or one-time codes as the second authentication factor when establishing a VPN connection. In cases where this is applicable, use Access Control List technology to restrict the list of IP addresses from which a VPN connection can be initiated;
train employees in working securely with all communication channels and explain the possible consequences of downloading and executing files from unverified sources;
use accounts with local administrator and domain administrator privileges only when this is necessary to perform job responsibilities;
consider using managed detection and response class services to gain quick access to high-level knowledge and the expertise of security professionals; and
use dedicated protection for shop-floor systems that protect industrial endpoints and enable OT network monitoring to identify and block malicious activity.

“This is a highly unusual campaign, and we are still piecing together the various information we have,” Vyacheslav Kopeytsev, security expert at Kaspersky said.

“However, one fact is clear: this is a threat that specialists need to pay attention to.

“It has been able to make its way onto thousands of ICS computers, including many high-profile organisations. We will be continuing our investigations, keeping the security community apprised [of] any new findings.”

Introducing Cyber Daily, the new name for Cyber Security Connect

Click here to learn all about it

newsletter

Be the first to hear the latest developments in the cyber industry.

New global malware threat identified

Introducing Cyber Daily, the new name for Cyber Security Connect

OUR PLATFORMS AND BRANDS

EVENTS AND SUMMITS

PODCASTS

LEARNING AND EDUCATION

MOMENTUM MARKETS NETWORK

LINKS

STAY CONNECTED