Pierluigi Paganini August 02, 2015

ESET issued a report on a cyber espionage campaign dubbed Operation Potao that relied on the diffusion of a trojanized Russian language version of TrueCrypt.

Despite TrueCrypt development was mysteriously interrupted last year, the popular open-source encryption tool still represents the ideal choice for individuals that need to encrypt their data.

Recently ESET published an interesting report related to the diffusion of a backdoored Russian language version of TrueCrypt used in a cyber espionage campaign dubbed Operation Potao.

The experts explained that the Operation Potao is a targeted espionage campaign directed mostly at targets in Ukraine and a number of neighboring countries, including Russia, Georgia and Belarus.

The list of victims includes the Ukrainian government and military entities and one of the major Ukrainian news agencies.

The researchers at ESET discovered that the Russian TrueCrypt website truecrypt.ru was used to serve malware to visitors since at least June 2012. By analyzing the timestamps attached to the malware the researchers dated the binaries back to April 2012.

“The attacks conducted using the Win32/Potao malware family span the past 5 years, the first detections dating back to 2011. The attackers are, however, still very active, with the most recent infiltration attempts detected by ESET in July2015.” explained the ESER researchers Robert Lipovsky and Anton Cherepanov.

It is interesting to note that not every visitor who downloaded TrueCrypt from the Russian site will have been infected by the malware, however, the selection criteria are still not clear.

“Not every download of the TrueCrypt software from the Russian website is malicious or contains a backdoor. The malicious versions of the software are served only to selected visitors, based on unknown specific criteria. This lends additional evidence to the view that the operation is run by a professional gang that selectively targets their espionage victims.” states the report.

ESET’s report claims that in addition to serving a trojanized version of TrueCrypt (now detected as Win32/FakeTC), the domain has also been used as a command-and-control server, sending instructions to computers infected by the backdoor.

The experts explained that the malware used in the Operation Potao doesn’t rely on any exploits and doesn’t appear particularly technically advanced. The malicious code does contain a few other interesting features that make it insidious, including a mechanism for spreading via USB drives and disguising executables as Word and Excel documents.

You can read the full technical report here, meanwhile Indicators of Compromise (IOC) that can be used to identify the threat agent can be found in the whitepaper or on github: https://github.com/eset/malware-ioc/tree/master/potao.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Operation Potao,  cyber espionage)