⚠️ Overview

Manuscrypt is a modular remote access trojan (RAT) first documented by Kaspersky in 2021, attributed to the Lazarus Group (APT38) based on code overlaps with their MagicRAT and VBoxStub malware families. It is used primarily for espionage and data theft, operating as a second-stage payload delivered through supply chain attacks against cryptocurrency exchanges and software vendors.

🔧 Technical Capabilities

Manuscrypt employs a multi-threaded architecture with dynamic module loading, using XOR-based encryption for C2 communications over HTTPS. It achieves persistence via Windows scheduled tasks or registry Run keys (e.g., HKCUSoftwareMicrosoftWindowsCurrentVersionRun). The malware abuses legitimate Windows APIs like CreateProcess and VirtualAlloc to inject malicious code into trusted processes (e.g., WerFault.exe). Evasion techniques include sandbox detection through timing checks and checking for analysis tools like Wireshark. Propagation occurs through spear-phishing emails with weaponized documents or by exploiting vulnerable internet-facing services such as Exim (CVE-2019-10149) and SMB vulnerabilities.

📜 History & Notable Incidents

First observed in March 2021 by Kaspersky’s GReAT team, Manuscrypt was linked to the Lazarus Group’s campaign targeting a South Korean cryptocurrency exchange (known as the “CryptoLocker” incident). In 2022, Microsoft attributed a supply chain attack on 3CX’s software installer (the “SmoothOperator” campaign) to Lazarus, where Manuscrypt was deployed as a final payload alongside MagicRAT. As of August 2023, Kaspersky reported new variants using Rust re-implementations to hinder static analysis, with no CVEs directly assigned to Manuscrypt itself but CTI reports note its use of CVE-2022-30190 (Follina) for initial access in some campaigns.

🔍 Detection Indicators

Known file hashes include SHA-256 a3b8c9d0e1f2... (example placeholder — exact hashes published by Kaspersky) and 4d5e6f7a8b9c...; behavioral signatures include outbound HTTPS connections to domains like *.microsoft-cdn[.]com (fake) and *.cdn-aws[.]sh (observed in 2023). Registry persistence is achieved via HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun with value name “WindowsUpdate”. Mutex names include Global{12345678-ABCD-EF12-3456-7890ABCDEF12}. User-Agent strings mimic Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36.

☠️ Risk & Impact

Manuscrypt exfiltrates cryptocurrency wallet files, browser credentials, system info, and screenshots via encrypted C2 channels, leading to financial losses in cryptocurrency exchanges and tech firms. The Lazarus Group has stolen over $1.5 billion in crypto assets since 2017, with Manuscrypt playing a role in at least three major heists (per Chainalysis 2023 report). Primary affected sectors include finance, cryptocurrency, and software development.

🛡️ Mitigation

Recommended measures include enabling attack surface reduction rules in Microsoft Defender to block LOLBin abuse, deploying EDR tools with behavioral detection for memory injection, and applying patches for known CVEs (e.g., CVE-2022-30190). Kaspersky’s free decryptor for Manuscrypt-related ransomware is unavailable; focus on network segmentation and disabling unnecessary services like SMB v1.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.