A botnet known as PseudoManuscrypt has been targeting Windows workstations in South Korea since at least May 2021. It uses the same distribution methods as another malware known as CryptBot.
“PseudoManuscrypt is disguised as an installer that is similar to a form of CryptBot, and is being distributed,” South Korea’s cybersecurity firm AhnLab Security Emergency Response Center (ASEC) said in a report published recently. “Not only is its file form similar to CryptBot, but it is also distributed via malicious sites exposed on the top search page when users search commercial software-related illegal programs such as Crack and Keygen,” it added.
ASEC disclosed that, on average, 30 computers in the nation are infected every day. PseudoManuscrypt was initially discovered by Russian cybersecurity firm Kaspersky in December 2021, when it revealed information of a large-scale spyware attack that infected over 35,000 systems in 195 countries around the world. The attacks through this malware were first discovered in June 2021. The targets were several industrial and government institutions in Russia, India, Brazil, and others. They primarily included military-industrial complex firms and research centers.
The primary payload module has a wide range of surveillance capabilities, giving the attackers virtually complete access over the compromised system. It is all part of stealing VPN connection information, recording audio with the microphone, and stealing clipboard contents and operating system (OS) event log data. Moreover, PseudoManuscrypt may connect to a remote command-and-control server controlled by the attacker to do malicious tasks like downloading files, executing arbitrary instructions, logging keystrokes, and capturing pictures and videos of the screen.
Researchers suggest that users must be careful not to download relevant products because this malware is disguised as an illegitimate software installer and delivered to random people through malicious websites. Periodic PC maintenance is required because harmful files might be registered to service and execute continual malicious activities without the user’s knowledge.