SoylentNews
SoylentNews is people
https://soylentnews.org/

Title    Operation Potao Express: Compromised Russian Version of TrueCrypt Targeted Users
Date    Friday July 31 2015, @05:48PM
Author    janrinok
Topic   
from the still-using-TrueCrypt? dept.
https://soylentnews.org/article.pl?sid=15/07/31/1229259

takyon writes:

ESET's WeLiveSecurity blog has released details of Win32/Potao malware attack campaigns on high-value targets in Ukraine, Russia, Georgia and Belarus:

We presented our initial findings based on research into the Win32/Potao malware family in June, in our CCCC 2015 presentation in Copenhagen. Today, we are releasing the full whitepaper on the Potao malware with additional findings, the cyber-espionage campaigns where it was employed, and its connection to a backdoor in the form of a modified version of the TrueCrypt encryption software.

Like BlackEnergy, the malware used by the so-called Sandworm APT group (also known as Quedagh), Potao is an example of targeted espionage malware directed mostly at targets in Ukraine and a number of other post-Soviet countries, including Russia, Georgia and Belarus.

[...] An (A)PT malware family that has gone relatively unnoticed for five years and that has also been used to spy on Ukrainian governmental and military targets is certainly interesting in and of itself. However, perhaps the most attention-grabbing discovery related to this case was when we observed a connection to the popular open-source encryption software, TrueCrypt. We found out that the website truecryptrussia.ru has been serving modified versions of the encryption software that included a backdoor to selected targets. Clean versions of the application are served to normal visitors to the website, i.e. people who aren't of interest to the attackers. ESET detects the trojanized TrueCrypt as Win32/FakeTC. TrueCrypt Russia's domain was also used as a C&C server for the malware. The connection to Win32/Potao, which is a different malware family from Win32/FakeTC, is that FakeTC has been used to deliver Potao to victims' systems in a number of cases. FakeTC is not, however, merely an infection vector for Potao (and possibly other malware) but a fully functional and dangerous backdoor designed to exfiltrate files from the espionage victims' encrypted drives.

From The Register.

Original Submission

Links
  1. "takyon" - https://soylentnews.org/~takyon/
  2. "Win32/Potao malware attack campaigns on high-value targets" - http://www.welivesecurity.com/2015/07/30/operation-potao-express/
  3. "Win32/Potao" - http://virusradar.com/en/Win32_Potao/detail
  4. "CCCC 2015" - http://cccc-2015.com/#program
  5. "full whitepaper" - http://www.welivesecurity.com/wp-content/uploads/2015/07/Operation-Potao-Express_final_v2.pdf
  6. "BlackEnergy" - http://www.welivesecurity.com/2014/10/14/cve-2014-4114-details-august-blackenergy-powerpoint-campaigns/
  7. "Win32/FakeTC" - http://virusradar.com/en/Win32_FakeTC/detail
  8. "The Register" - http://www.theregister.co.uk/2015/07/30/truecrypt_ru_hub/
  9. "Original Submission" - https://soylentnews.org/submit.pl?op=viewsub&subid=8640
© Copyright 2024 - SoylentNews, All Rights Reserved

printed from SoylentNews, Operation Potao Express: Compromised Russian Version of TrueCrypt Targeted Users on 2024-05-07 23:58:11