Malware used to attack Ukrainian government, military, and major news agencies in the country, was distributed from the Russian portal of encryption utility TrueCrypt, new research has revealed.
Security peeps at ESET discovered a connection to a Russian version of the now discontinued popular source-is-available encryption software, TrueCrypt. The website truecryptrussia.ru has been serving a Russian-language localized version of the TrueCrypt application that also contains a backdoor, but only to select downloaders.
The backdoored version of the file and disk encryption application was only served to specially targeted victims. In addition to serving trojanized TrueCrypt, the domain acted as a C&C server for compromised software. The malware is programmed to steal passwords and sensitive information from infected systems, and send the data back to the C&C server.
The cyber-espionage group behind the Potao malware family also infected targets in former Soviet countries including Russia, Georgia, and Belarus, but its main hunting ground was in the Ukraine. In addition to the usual suspects for state-sponsored cyber-espionage, the malware was used to spy on members of MMM, a financial pyramid scheme popular in Russia and Ukraine. The ongoing campaign started in 2011.
More details about Operation Potao Express, featuring a deeper dive into the cyber-espionage toolkit, can be found on ESET's WeLiveSecurity blog here. The profile of the cyber-snooping shares similar targets and techniques to the BlackEnergy campaign. ®