Threat Research

PseudoManuscrypt Being Distributed in the Same Method as Cryptbot – ASEC BLOG

Securonix

ASEC researchers trace PseudoManuscrypt distribution in Korea since May 2021, noting it masquerades as a Cryptbot-like installer and is spread via malicious sites surfaced in top search results for illegal software (Crack/Keygen). The malware uses NSIS to drop a loader, decodes payloads, and establishes persistence by abusing registry keys and a Windows service while evading defenses. #PseudoManuscrypt #Cryptbot #AhnLab #ASEC #Korea

Keypoints

  • PseudoManuscrypt has been distributed in Korea since May 2021, disguised as an illegal software installer and spread via malicious sites that appear on top search results for Crack/Keygen.
  • The top-level file is an NSIS installer that creates setup_installer.exe, which acts as a 7z SFX loader for multiple malware components.
  • Loader loads several malware families (including SmokeLoader and Glupteba) and uses install.dll/install.dat saved in %TEMP% to drive execution.
  • The malware uses a MachineGuid-based registry key to store encoded data, enabling persistence and memory-only execution through decoded payloads.
  • It injects into svchost.exe (via netsvcs) and eventually creates a Windows service (AppService*) to maintain persistence across reboots and logoffs, while adding Defender exclusions.
  • Capabilities include data theft (VPN info, clipboard, audio, network shares, process ports, etc.) and C2 operations via email, with additional abilities like file download, screen capture, and keylogging.
  • Detected file hashes and IOCs contain multiple Trojan/Generic detections and an IOC list, including the C2 domain email.yg9[.]me.

MITRE Techniques

  • [T1189] Drive-by Compromise – The malware is distributed via malicious sites surfaced on the top search page for illegal software like Crack/Keygen. ‘distributed via malicious sites exposed on the top search page when users search commercial software-related illegal programs such as Crack and Keygen.’
  • [T1036] Masquerading – The top-level file is disguised as an illegal program in NSIS Installer format. ‘The top-level file disguised as an illegal program is in the form of NSIS (Nullsoft Scriptable Install System) Installer’
  • [T1027] Obfuscated/Compressed Files and Information – The installer encodes and compresses payloads (install.dat) and shellcode before execution. ‘install.dat (Encoded shellcode) … is encoded and compressed, and the shellcode decodes the encoded and compressed pe data’
  • [T1218.011] Signed Binary Proxy Execution: Rundll32 – The current process was run as rundll32.exe by the shortcut file to execute payloads. ‘The current process was run as svchost.exe … by the shortcut file.’
  • [T1112] Modify Registry – The malware creates a registry key using the MachineGuid value and stores encoded data there. ‘it creates a certain registry key … HKLMSOFTWAREMicrosoftCryptographyMachineGuid(“Global”):1 – Encoded “install.dat”’
  • [T1055] Process Injection – The decoded install.dat is injected into svchost.exe after registry storage. ‘injects the decoded “install.dat” in the process.’
  • [T1543.003] Create or Modify System Process: Windows Service – It creates service entries (AppService*) to run malicious components and persist. ‘created service’ and registry configuration for automatic start.
  • [T1562.001] Impair Defenses – It adds an exclusion for Windows Defender to avoid detection. ‘System folder is excluded from Windows Defender scans’
  • [T1056.001] Keylogging – The malware can perform keylogging as part of its capabilities. ‘execution of keylogger and cmd commands’
  • [T1113] Screen Capture – The malware can perform screen capture as part of its capabilities. ‘screen capture’
  • [T1105] Ingress Tool Transfer – The attacker uses download activities (e.g., a Windows validation program) from a malicious site. ‘the user was trying to download a Windows validation program from a malicious site’
  • [T1087] Account Discovery (Process Discovery) – It enumerates processes and port-accepting processes (information on processes that accept TCP/UDP ports). ‘Information of processes that accept TCP and UDP ports’
  • [T1518] Software Discovery – It gathers file/version information of the running processes. ‘File version information of the running process’
  • [T1071.004] Application Layer Protocol: Email – C2 communications use an email-based channel (C2: email.yg9[.]me). ‘C2 : email.yg9[.]me’

Indicators of Compromise

  • [File Hash] context – 1fecb6eb98e8ee72bb5f006dd79c6f2f, 5de2818ced29a1fedb9b24c1044ebd45, and 6 more hashes (Detected as various Trojan/Win.Generic variants)
  • [Domain] context – email.yg9[.]me (C2 domain)
  • [File] context – setup_installer.exe, install.dll, install.dat, install.dll.lnk (Loader-related files)
  • [Process] context – svchost.exe, rundll32.exe (processes used to execute/inject payloads)
  • [File] context – rUNdlL32.eXe (abnormal Rundll32 launcher indicated in logs)
  • [Registry Key] context – HKLMSOFTWAREMicrosoftCryptographyMachineGuid(“Global”):1 (Encoded install.dat stored under MachineGuid-based key)
  • [Path] context – %TEMP% install.dat, %TEMP% setup_installer.exe (temporary storage for payloads)

Read more: https://asec.ahnlab.com/en/31683/