Modular Potao malware used to spy on targets in Ukraine, Russia


Researchers with ESET have been monitoring Potao malware since it was first identified in 2011, and on Thursday the security firm released new details about the threat and its use in a number of recent espionage campaigns against targets predominately in Ukraine.

Potao malware is modular, meaning that its capabilities are determined based on a variety of downloadable plugins, Robert Lipovsky, senior malware researcher at ESET, told in a Thursday email correspondence.

Some of the plugins that ESET observed include a file stealer, system information collector, password stealer, screen grabber, keylogger, and malware updater, Lipovsky said, adding that the ultimate goal for attackers using Potao is espionage and data theft.

“There are some subtle indicators within the code that the malware writers are Russian speaking,” Lipovsky said. “Note, that malware writers don't necessarily also have to be – and often they are not, as malware is offered for sale – the malware operators.”

A post and whitepaper showed that in 2012 Potao was primarily being used against targets in Russia, but after a lull in activity in 2013, malware activity increased throughout 2014 and 2015 against targets in Ukraine, including government and military entities and a major news agency.

One infection vector observed by researchers involved sending personalized SMS messages to targets that direct them to landing pages – disguised as postal service websites – hosting the malware, the whitepaper said. In these instances, executables were often disguised as Word, Excel and PDF documents.

Another spreading mechanism involves infecting USB devices attached to an infected machine, and passing along the infection when said device is plugged into a different system. All that is required is for a victim to double-click the malware dropper that is placed on the USB drive, which disguises itself as the icon and name of the legitimate USB drive. To make matters trickier, all other files on the drive are made hidden.

A third spreading mechanism involves open source encryption software known as TrueCrypt. Researchers observed the truecryptrussia[dot]ru website serving to selective targets a modified version of the software that contains a backdoor. The modified version – identified as Win32/FakeTC – has more features than just delivering Potao, including stealing files from encrypted drives.

ESET researchers noted that Potao is not a particularly advanced or sophisticated malware, but they added that clever tricks and social engineering can enable successful espionage campaigns.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.