Criminals spying on high-value targets in Ukraine, Russia and Belarus, and their encrypted data.
ESET, a global leader in IT security for more than two decades, presents Operation Potao Express, an extensive analysis of the cyberespionage group behind the Win32/Potao malware family.
Win32/Potao is an example of espionage malware. It has been detected mostly in Ukraine and a number of other CIS countries, including Russia, Georgia and Belarus. The Potao family is a typical cyberespionage trojan that steals passwords and sensitive information in order to offer them to the attackers’ remote server.
Similar to BlackEnergy, Potao was use to spy on the Ukrainian government, military entities and a major Ukrainian news agency. It was also used to spy on members of MMM, a financial pyramid scheme popular in Russia and Ukraine. Besides the variety of attack campaigns, there is one other interesting fact about Win32/Potao.
“Our investigation of Potao uncovered a very interesting connection to a Russian version of the now-discontinued popular open-source encryption software, TrueCrypt,” says Robert Lipovsky, Senior Malware Researcher at ESET.
Investigating further, ESET researchers discovered another connection between trojanized TrueCrypt and the truecryptrussia.ru website, which not only delivered infected encryption software in some specific cases but also acted as a command and control (C&C) server for the backdoor.For more information visit HERE.