It’s similar to Lazarus’s Manuscrypt malware, but the new spyware is splattering itself onto government organizations and ICS in a non-Lazarus-like, untargeted wave of attacks.
Researchers have tracked new spyware – dubbed “PseudoManuscrypt” because it’s similar to “Manuscrypt” malware from the Lazarus advanced persistent threat (APT) group – that’s attempted to scribble itself across more than 35,000 targeted computers in 195 countries.
Kaspersky researchers said in a Thursday report that from Jan. 20 to Nov. 10, the actors behind the vast campaign were targeting government organizations and industrial control systems (ICS) across a range of industries, including engineering, building automation, energy, manufacturing, construction, utilities and water management. At least 7.2 percent of all attacked computers are part of ICS, researchers said.
Manuscrypt, aka NukeSped, is a family of malware tools that have been used in espionage campaigns in the past. One such was a February spear-phishing campaign linked to Lazarus – a prolific North Korean APT – that used the Manuscrypt malware family’s ‘ThreatNeedle’ tool cluster to attack defense companies.
Fake Pirated Installers
The operators behind PseudoManuscrypt are using fake pirated software installer archives to initially download the spyware onto targets’ systems.
The fake installers