Arbor Networks linked a new Acronym Malware to the Potao Express campaign

Pierluigi Paganini March 19, 2017

Security experts at Arbor Networks linked a new Acronym malware to the malicious code used by threat actors behind the Operation Potao Express.

Security experts at Arbor Networks have spotted a new strain of malware that could be linked to the malicious code used by threat actors behind the Operation Potao Express.

The researchers started the investigation after the Italian researchers Antelox shared a link to a VirusTotal analysis on Twitter.

The analysis of the malicious code and of the dropper suggested a possible link to the Potao malware family.

Like the Potao trojan, the Acronym malware has a modular structure.

The Potao malware, which has been described as a “universal modular cyber espionage toolkit,” has been around since at least 2011, but it was first analyzed in detail in 2015 by ESET.

In August 2015, ESET issued a report on a cyber espionage campaign dubbed Operation Potao Express that relied on the diffusion of a trojanized Russian language version of TrueCrypt.

The malware was used in targeted attacks against entities and high-value targets in Ukraine, Russia, Georgia, and Belarus.

Acronym malware potao express eset-623x4322

Back to the present, the malware researchers at Arbor Networks have discovered a malicious code dubbed “Acronym” based on a debugging string and the URLs pointing to command and control (C&C) servers.

“Upon further investigation, it is a modular malware known as Acronym and could possibly be associated with the Win32/Potao malware family and the Operation Potao Express campaign. This post takes a look at our analysis of Acronym thus far.” reads the analysis published by Arbor Networks.

Both Acronym and its dropper appear to have been compiled in February 2017.

The analysis of the Dropper component revealed that it starts by killing any Windows processes named “wmpnetwk.exe,” and replace it with the malicious code.

It then contacts a C&C server and sends it information about the infected machine.

Once the bot has completed the initialization phase, it will contact the command and control servers (C2s) and sends back the information iterating through six possible IP/port pairs.

The Acronym malware gains persistence using Registry or the Task Scheduler.

The malware is able to capture screenshots, download and execute other payloads, and run plugins.

Unfortunately, we have no information about the plugins available because the C&C servers were offline at the time of the analysis conducted by Arbor Networks.

Researchers noticed that the Potao trojan and the Acronym malware use the same C&C infrastructure, both contact C&C domains on the same ports, and both use temporary file names that start with “HH.”

The experts also noticed also some differences between the two threats, the encryption and the delivery mechanism are different.

“On the other hand though, there is a lot of functionality missing in Acronym that was documented in Win32/Potao. Some examples:

  • No decoy document used in the dropper
  • Dropper doesn’t stored the dropped executable compressed
  • Doesn’t inject into any processes
  • Doesn’t drop a DLL, but an EXE
  • No string encryption
  • No RSA key exchange
  • No AES encryption
  • No XML data exchange
  • Different system information query string
  • No Windows API hashing”

“As usual with new malware it is too soon to assess how active and widespread this new family will become, but it does have a potential link to a long running malware campaign known as Operation Potao Express that makes it worth watching,” concluded Arbor Networks.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Operation Potao Express, Acronym malware)



you might also like

leave a comment