Stories
Slash Boxes
Comments

SoylentNews is people

Operation Potao Express: Compromised Russian Version of TrueCrypt Targeted Users

posted by janrinok on Friday July 31 2015, @05:48PM   Printer-friendly
from the still-using-TrueCrypt? dept.

takyon writes:

ESET's WeLiveSecurity blog has released details of Win32/Potao malware attack campaigns on high-value targets in Ukraine, Russia, Georgia and Belarus:

We presented our initial findings based on research into the Win32/Potao malware family in June, in our CCCC 2015 presentation in Copenhagen. Today, we are releasing the full whitepaper on the Potao malware with additional findings, the cyber-espionage campaigns where it was employed, and its connection to a backdoor in the form of a modified version of the TrueCrypt encryption software.

Like BlackEnergy, the malware used by the so-called Sandworm APT group (also known as Quedagh), Potao is an example of targeted espionage malware directed mostly at targets in Ukraine and a number of other post-Soviet countries, including Russia, Georgia and Belarus.

[...] An (A)PT malware family that has gone relatively unnoticed for five years and that has also been used to spy on Ukrainian governmental and military targets is certainly interesting in and of itself. However, perhaps the most attention-grabbing discovery related to this case was when we observed a connection to the popular open-source encryption software, TrueCrypt. We found out that the website truecryptrussia.ru has been serving modified versions of the encryption software that included a backdoor to selected targets. Clean versions of the application are served to normal visitors to the website, i.e. people who aren't of interest to the attackers. ESET detects the trojanized TrueCrypt as Win32/FakeTC. TrueCrypt Russia's domain was also used as a C&C server for the malware. The connection to Win32/Potao, which is a different malware family from Win32/FakeTC, is that FakeTC has been used to deliver Potao to victims' systems in a number of cases. FakeTC is not, however, merely an infection vector for Potao (and possibly other malware) but a fully functional and dangerous backdoor designed to exfiltrate files from the espionage victims' encrypted drives.

From The Register.

Original Submission

 
This discussion has been archived. No new comments can be posted.
Operation Potao Express: Compromised Russian Version of TrueCrypt Targeted Users | Log In/Create an Account | Top | 15 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 0) by Anonymous Coward on Saturday August 01 2015, @12:13PM

    by Anonymous Coward on Saturday August 01 2015, @12:13PM (#216726)

    After a while I fetched my own key from a server only to find that two complete strangers had signed it. I expect they did so because they think well of me but how did that know that was _my_ key?

    That doesn't matter. Revoking key is only needed if you lose it, or *you* sign things that turned out to be fake ;)

  • (Score: 3, Touché) by MichaelDavidCrawford on Saturday August 01 2015, @01:15PM

    by MichaelDavidCrawford (2339) Subscriber Badge <mdcrawford@gmail.com> on Saturday August 01 2015, @01:15PM (#216738) Homepage Journal

    Suppose you yourself trusted the keys of the two complete strangers who signed mine.

    You want to send me a ciphertext, or validate my own sig on a cleartext mail, so you ask gnupg to verify that my sig is within your own web of trust.

    It will be, because you trusted the two right chaps who signed the key of a complete stranger that they found on a keyserver.

    But in reality, that key belongs to petergunn@cia.gov.

    Does that work for you?

    --
    Yes I Have No Bananas. [gofundme.com]