Potao Malware Used to Target Government of Ukraine - ESET

News published on 30th July, 2015 quoting security firm ESET as "Win32/Potao malware family has been used for the last five years in hidden targeted attacks against the government of Ukraine and served up on occasion by a Trojanized Russian version of encryption software TrueCrypt."

The cyber-security firm mentioned its recent findings in a new report known as Operation Potao Express.

In early days, Potao was spread through phishing emails in what looks to be a mass-distribution campaign which might be used to test and mend the Trojan.

The report claimed that the activity from 2011 to 2013 was not so frequent but infections started to spike in 2014 and this year, so far, there have been almost 400 recorded detections because of infection via USB drives.

Other attacks used spear-phishing with the well-known popular Russian pyramid-selling scheme MMM as bait whereas the malware was also detected in Georgia in an email with a wedding invitation written in English.

Attacks were extremely targeted against Ukrainian victims which started seriously in 2014.

Researchers observe one infection vector involving sending personalized SMSs to targets which direct them to landing webpages concealed as postal websites - hosting the malware. In these cases, executables were often concealed as Excel, Word and PDF documents.

Another way of spreading malware is infecting USB devices connected to an infected system and then plugging the same infected USB device into a different machine. Victim needs to double-click the malicious software dropper which is positioned on the pen-drive which has hidden itself as logo and name of the genuine USB drive. All other files on the drive are made unseen to make things trickier.

A third mechanism of spreading infection engages open source encryption software identified as TrueCrypt. Researchers noted that the truecryptrussia(dot)ru website delivering to selected targets an altered version of the software containing a backdoor. The modified version - called Win32/FakeTC - has more features than just serving Potao including embezzlement of files from encrypted drives.

Researchers of ESET observed that Potao is not particularly an advanced or sophisticated malware but continued that clever deceits and social engineering tactics can make espionage campaigns successful.

» SPAMfighter News - 8/11/2015