Upgraded PseudoManuscrypt could attack more targets

October 18, 2022
PseudoManuscrypt Cyberattack Malware Dropper NullMixer

The recently discovered PseudoManuscrypt botnet has been upgraded by its operators to attack more targets globally. Based on reports, the botnet operators have modified the command-and-control infrastructure that allows them to infect approximately half a million systems in about 40 different nations in the past eight months.

The researchers revealed that they had uncovered several previously unknown domains developed by hackers using Domain Generation Algorithm (DGA). These domains were harvested by the threat actors through massive traffic and were available on several search engines, especially the Google search page.

The actors transferred the massive traffic to numerous domains, which made it difficult for researchers to find the exact origin of the domain. Fortunately, the researchers have identified unusual UDP traffic on port 53.

Furthermore, the researchers’ studies uncovered the use of hardcoded URLs to launch the PseudoManuscrypt botnet. The hardcoded URLs allowed the botnet operators to bypass security defenders while conducting infection attacks.

The new version of the PseudoManuscrypt bot infects more than 7,000 systems daily. Cybersecurity experts explained that this infection rate had drastically changed since the older version of the botnet could infect about 16,000 systems daily.

Moreover, a separate researcher reported an identical infection method utilised by other malware variants such as RedLine, SmokeLoader, and Socelars.

 

Other droppers were also discovered by researchers deploying the upgraded PseudoManuscrypt botnet.

 

The PseudoManuscrypt botnet has also been observed being dropped by a newly identified malware dropper called NullMixer. This new dropper is commonly seen being disseminated by its operators through cracked or pirated software hosted on malicious websites.

In addition, the newly improved botnet was also connected to a threat campaign aimed at numerous targeted devices in South Korea. In that instance, the botnet had impersonated an installation propagated through various hostile websites.

The botnet has been on a tear since its arrival to the cybercriminal landscape. PseudoManuscrypt has slowly evolved into a large botnet that could compete with other malware despite its recency.

Organisations should frequently review the IOCs given by threat researchers to understand the emerging TTPs employed by these botnets to mitigate and counteract such attacks.

About the author