ESET is today issuing an analysis on Operation Potao Express, the cyberespionage group behind the Win32/Potao malware family.
Potao is an example of targeted espionage (APT) malware detected mostly in Ukraine and a number of other CIS countries, including Russia, Georgia and Belarus.
Among the victims that ESET was able to identify, the most notable high-value targets include Ukrainian government and military entities and one of the major Ukrainian news agencies. The malware was also used to spy on members of MMM, a financial pyramid scheme popular in Russia and Ukraine. One of the most interesting discoveries during ESET’s Potao investigation and research was the connection to a Russian version of the now discontinued popular open-source encryption software, TrueCrypt. The website truecryptrussia.ru has been serving a Russian language localized version of the TrueCrypt application that also contains a backdoor, in some specific cases. The trojanized version of the application is only served to selected victims which is another indicator of targeting by the malware operators and also one the reasons why the backdoor has gone unnoticed for such a long time. In addition to serving trojanised TrueCrypt, the domain also acted as a C&C server for the backdoor. The connection to Potao lies in the fact that Win32/Potao has been downloaded in a few cases by Win32/FakeTC (ESET detection name of the trojanized encryption software).
ESET presents Operation Potao Express, an extensive analysis of the cyberespionage group behind the Win32/Potao malware family. An ESET white paper with the same name offers technical details and describes spreading mechanisms and the most noteworthy attack campaigns since this malware’s first appearance in 2011 through to the present day.
Win32/Potao is an example of espionage malware. It has been detected mostly in Ukraine and a number of other CIS countries, including Russia, Georgia and Belarus. The Potao family is a typical cyberespionage trojan that steals passwords and sensitive information in order to offer them to the attackers’ remote server.
Similar to BlackEnergy, Potao was use to spy on the Ukrainian government, military entities and a major Ukrainian news agency. It was also used to spy on members of MMM, a financial pyramid scheme popular in Russia and Ukraine. Besides the variety of attack campaigns, there is one other interesting fact about Win32/Potao.
“Our investigation of Potao uncovered a very interesting connection to a Russian version of the now-discontinued popular open-source encryption software, TrueCrypt,” says Robert Lipovsky, Senior Malware Researcher at ESET.
Investigating further, ESET researchers discovered another connection between trojanized TrueCrypt and the truecryptrussia.ru website, which not only delivered infected encryption software in some specific cases but also acted as a command and control (C&C) server for the backdoor.