Numerous Windows machines located in South Korea have been targeted by a botnet tracked as PseudoManuscrypt since at least May 2021 by employing the same delivery tactics of another malware called CryptBot.
“PseudoManuscrypt is disguised as an installer that is similar to a form of CryptBot, and is being distributed,” South Korean cybersecurity company AhnLab Security Emergency Response Center (ASEC) said in a report published today.
“The file format is very similar to CryptBot and it’s also available via malware sites that are exposed at the top of search results pages when people search for illegal software programs, such as Crack or Keygen.” it said.
According to ASEC, around 30 computers in the country are being consistently infected on a daily basis on average.
PseudoManuscrypt was first documented by Russian cybersecurity firm Kaspersky in December 2021, when it disclosed details of a “mass-scale spyware attack campaign” infecting more than 35,000 computers in 195 countries globally.
PseudoManuscrypt Attacks Targets, first discovered in June 2021,, included significant numbers of government and industrial organizations in Russia, India and Brazil.
The main payload module is equipped with extensive and varied spying functionality that provides the attackers with virtually full control of the infected system. It includes stealing VPN connection details, recording audio with the microphone, and capturing clipboard contents and operating system event log data.
PseudoManuscrypt is able to access remote command and control servers under an attacker’s control and perform various malicious activities, such as download files, execute arbitrary commands and log keypresses. It can also capture screen shots and video of the screen.
” This malware disguises itself as a software installer, and can be distributed to random people via malicious websites. Users should therefore take care not to install relevant programs.” the researchers stated. It is important to maintain your computer regularly, as malicious programs can be installed and used in continuous malign behavior without user knowledge. “