Operation Potao: Malware Analysis for cyber espionage, part 1
Analysts of our anti-virus laboratory conducted an investigation of a series of cyber attacks and malicious campaigns using Win32 / Potao malware . Despite the fact that the anti-virus products of our company, as well as some other anti-virus vendors, have already detected this malware, it remained outside the public field. The first samples of Win32 / Potao date back to 2011.
Cyber ​​attacks using Potao are a type of directional attack, some examples of which we have already considered. We are talking about BlackEnergy malware (aka Sandworm, Quedagh), which prevails in Ukraine, Russia, and also in some CIS countries, including Georgia and Belarus.
')
The computer networks of the military and the government of Ukraine, as well as one of the leading Ukrainian news agencies, were victims of Potao. In addition, the malicious program was used by cybercriminals to spy on participants in the MMM financial pyramid, which is popular in both Russia and Ukraine. One of the most interesting features of this malicious campaign is that attackers compromised the well-known open-source legitimate encryption software TrueCrypt and then used it to distribute malware.
The Russian website for this encryption tool with the address truecryptrussia.ru distributed the TrueCrypt application, which contained a backdoor. An interesting feature is that malicious instances of this application were delivered only to some users, which is an indicator of the focus of this malicious campaign. This feature also explains the fact that the backdoor for a long time remained invisible to users and visitors to the specified website. This above domain was used by operators as a C & C server manager for malware. In some cases, Win32 / Potao is downloaded onto the computer by another malicious program, which is detected by our products as Win32 / FakeTC .
Our report contains detailed information about the large number of attacks using Win32 / Potao, which the attackers have organized over the past 5 years. Similar to the BlackEnergy malware used by the Sandworm cyber group, Potao is a versatile modular cyber espionage tool. Cyberattacks in which Potao was used are of the Advanced Persistent Threat (APT) type and are targeted. We observed only sporadic cases of using Potao in mass malicious campaigns.
general information
As we mentioned earlier, the Potao malware is not new, it was discovered as early as 2011. One of the possible reasons why this malware has not yet been publicly covered is its activity. In the period from 2011 to 2013 The number of detections of this malware was low. A significant increase in the prevalence of Potao, according to ESET LiveGrid, was observed in 2014 and 2015. (Figure 1.)
Fig. 1. Win32 / Potao distribution statistics at different time intervals according to ESET LiveGrid.
The diagram above shows that we did not provide statistics for Win32 / Potao for 2011. This was done for the reason that during this period of time Potao was distributed by attackers as part of mass campaigns, i.e. at that time the malware was not used in targeted attacks against users. The debug versions of Potao, discovered in 2013, were also excluded from the chart data.
Using Potao in mass campaigns against users makes it look like malware like BlackEnergy or even Stuxnet. These well-known malicious programs were used by cybercriminals for targeting cyber attacks, but ultimately they became widespread, infecting those users for whom they were not designed initially. In the process of investigating malware campaigns involving Potao, we discovered that attackers used debug versions of this malware to test it before using it in targeted attacks.
The main reason for the increase in the number of Potao detections in 2014 and 2015. there was an intruder-added mechanism for infecting removable USB drives.
Fig. 2. Chronology of malicious campaigns using Potao.
To compile the above chronology, we used data from our ESET LiveGrid cloud system, as well as the timestamps of the executable PE files of the malware.
The first cyber campaign using Potao was recorded in August 2011. It was not a direct attack, as it was massive. The executable files of the malware that were used in this campaign contained the encrypted string GlobalPotao .
The propagation mechanism of Potao in this malicious campaign was rather trivial, but rather effective. Malicious droppers were distributed as attachments to phishing e-mail messages, while the MS Word document icon was used as the icon of the executable file. This disguise helps to lull the attention of users who receive such phishing messages. It should be noted that the attackers did not use any exploits to automatically install the malware. In addition to the payload, the droppers contained a fake Word document that was displayed to the user to disguise the installation of the malware into the system.
Fig. 3. A fake decoy document (bait) that the Potao dropper shows the user to disguise their installation process.
Other Potao droppers that were used in malicious campaigns in 2011 contained documents in the Armenian language. It is interesting to note that a legitimate document belonging to the Armenian Ministry of Labor and Social Affairs was used as one of the decoy documents.
Fig. 4. Legitimate decoy-document in Armenian, which was used in Potao droppers in 2011
Another malicious cyber campaign was aimed at the participants in the MMM financial pyramid by cyber criminals. Potao executables that were used in a campaign against MMM members had compile timestamps on April 27, 2012 and the campaign identifier (ID) 00km . A fake decoy document uses the pyramid entry theme.
Fig. 5. Decoy-document dropper, which was used in malicious campaigns against members of MMM.
In this malicious campaign, Potao droppers with decoy documents were found that contained random sequences of Cyrillic characters. As we discovered later, the use of documents with arbitrary character sets is a kind of calling card of this cyber group.
Fig. 6. Decoy-document, which was used in malicious campaigns against participants MMM.
The above file was named by the attackers “Report on the payment of Kovaleva Alexandra.exe”. In addition, the mmmL campaign ID of the malicious campaign confirms the use of malicious software by hackers against MMM users.
The founder of the MMM pyramid, Sergey Mavrodi, on June 19, 2012 posted on the pyramid website a warning that attackers send phishing emails on his behalf that contain a link to malware located on Dropbox.
Fig. 7. Message with a warning about malicious distribution from the founder of MMM Sergey Mavrodi.
Fig. 8. Archive with malware hosted on the Dropbox service.
The attackers used the following file names as indicated above: “Questionnaire and rules”, “anketa_i_pravila”, droppers contained a compilation mark on June 13, 2012 and the campaign ID “NMMM”.
We can assume that Potao operators used this spyware malware to spy on the participants or organizers of this financial pyramid.
In 2013, traces of Potao were found in Georgia. The executable file of the malware, which had a timestamp dated October 15, 2013, was called “Wedding_invitation.exe”. This time the decoy-document contained the text of the wedding invitation. The file name and the text of the document contained the text in English.
Fig. 9. The appearance of the decoy-document, which was used in Potao droppers, aimed at users of Georgia.
Potao in Ukraine
Before detecting an increase in Win32 / Potao activity in Ukraine in 2014, we discovered several debug versions of this malware in the fall of 2013. We can assume that the attackers tested the new version of the malware before using it in targeted cyber attacks on Ukrainian users .
Fig. 10. Fragment of the code of the debug version of the malicious program.
It is interesting to note that one of the campaign identifiers in these debug versions of Potao was the word krim (Crimea).
In March 2014, the criminal group switched to using the new distribution vector Potao. They began to use the so-called. “Landing page” for installing a malicious program. The webpage was called MNTExpress. We believe that the design of this website was taken from the website of the Russian postal service Pony Express.
Fig. 10. The appearance of the web page delivery service Pony Express.
Fig. 11. The appearance of the web page MNTExpress.
Disguising a phishing email as a mail service notification is a very common method for malicious users to spread malware. Instructions for downloading a malicious program may be located in the body of the message. However, the Potao cyber group takes a different approach. Alleged victims received SMS messages that contained a link to a web page with malware. The victim was also sent a special tracking code (tracking code), as well as the name of the recipient. This method is also another indicator of cyber attack, since, firstly, the attackers had to conduct reconnaissance and get the full name of the victim, as well as her phone number. Secondly, in order to receive the malware file, the victim needed to enter the code sent to her in an SMS message.
Fig. 12. SMS sent by hackers.
Fig. 13. One of the recipients of SMS messages from attackers is trying to get information about him in the public group of the social network vkontakte.
A similar malware distribution scenario was used by attackers as early as March 2015. This time, the attackers registered the domain WorldAirPost.com, and the design for the website was taken from the Singapore postal service. They simply replaced the Singapore Post logo with Italy Post.
Fig. 14. Appearance of a legitimate Singapore Post website.
Fig. 15. The appearance of the fake WorldAirPost.com website.
At the time of our analysis, the attackers were still active, registering another WorldAirPost.net domain in June 2015. It should be noted that MNTExpress supported two languages, Russian and English, and WorldAirPost only English. When using this website, the attackers resorted to disguising drops as an MS Excel document, not Word.
In addition, instead of displaying a decoy-document (bait), the dropper shows the user a special system message (Fig. 16).
Fig. 16. The system message displayed by the dropper to the user when launched in the system.
Since March 2015, our anti-virus laboratory has detected malicious Potao files on the computers of Ukrainian military and government organizations, as well as on computers of one of the largest Ukrainian news agencies. Distributed droppers were disguised as MS Word documents and meaningful file names were assigned to them.
Figure 17. File names of droppers that were used in cyber attacks on high-level institutions in Ukraine.
It is seen that the file names indicate their focus on the military and government institutions of Ukraine. The decopper-document of the droppers apparently was damaged (Fig. 18).
Fig. 18. Appearance of the decoy-document, which was used in Potao droppers from March 5, 2015
TrueCrypt encryption application compromise
In the process of monitoring the Potao botnet, we detected computer infections that were originally performed by other malware using suspicious websites.
We found that Win32 / Potao was installed on the system using an executable file called TrueCrypt.exe. At first glance, this was not surprising, since attackers often assign special trusted names to malicious files. However, in this case, the situation was different, since the compromised version of legitimate encryption software called TrueCrypt acted as the Potao dropper (downloader) dropper. Further investigation revealed that such a modification of TrueCrypt was distributed through the website truecryptrussia.ru. Moreover, we were able to establish the fact that the attackers used this domain name as one of the addresses of the managing C & C server. This fact leads us to the idea that this site is not legitimate, but was originally conceived by the owners to carry out malicious operations. Thus, the website itself and the software called “TrueCrypt Russia” were used to perform the following malicious functions.
It should be noted that not every visitor to the above website will download the malicious modification TrueCrypt. The mechanism for downloading a malicious copy is organized on a selective basis. This is further evidence of the targeting of a cyber attack using Potao.
Fig. 19. Web page TrueCrypt Russia.
According to our statistics from ESET LiveGrid, this website has distributed a malicious version of the TrueCrypt software since at least June 2012. In this case, the timestamps of the malware files are from April 2012.
Georgian Cyber ​​Campaign
In confirmation of the fact that the attackers behind Potao were very active even at the time of writing this study, one of the malicious program droppers with a compilation date of July 20, 2015 can be cited. Dropper was used to compromise users in Georgia. This time the decoy document was a PDF file.
Fig. 20. An example of a decoy-document from the “Georgian dropper”.
Cyber ​​attacks using Potao are a type of directional attack, some examples of which we have already considered. We are talking about BlackEnergy malware (aka Sandworm, Quedagh), which prevails in Ukraine, Russia, and also in some CIS countries, including Georgia and Belarus.
')
The computer networks of the military and the government of Ukraine, as well as one of the leading Ukrainian news agencies, were victims of Potao. In addition, the malicious program was used by cybercriminals to spy on participants in the MMM financial pyramid, which is popular in both Russia and Ukraine. One of the most interesting features of this malicious campaign is that attackers compromised the well-known open-source legitimate encryption software TrueCrypt and then used it to distribute malware.
The Russian website for this encryption tool with the address truecryptrussia.ru distributed the TrueCrypt application, which contained a backdoor. An interesting feature is that malicious instances of this application were delivered only to some users, which is an indicator of the focus of this malicious campaign. This feature also explains the fact that the backdoor for a long time remained invisible to users and visitors to the specified website. This above domain was used by operators as a C & C server manager for malware. In some cases, Win32 / Potao is downloaded onto the computer by another malicious program, which is detected by our products as Win32 / FakeTC .
Our report contains detailed information about the large number of attacks using Win32 / Potao, which the attackers have organized over the past 5 years. Similar to the BlackEnergy malware used by the Sandworm cyber group, Potao is a versatile modular cyber espionage tool. Cyberattacks in which Potao was used are of the Advanced Persistent Threat (APT) type and are targeted. We observed only sporadic cases of using Potao in mass malicious campaigns.
general information
As we mentioned earlier, the Potao malware is not new, it was discovered as early as 2011. One of the possible reasons why this malware has not yet been publicly covered is its activity. In the period from 2011 to 2013 The number of detections of this malware was low. A significant increase in the prevalence of Potao, according to ESET LiveGrid, was observed in 2014 and 2015. (Figure 1.)
Fig. 1. Win32 / Potao distribution statistics at different time intervals according to ESET LiveGrid.
The diagram above shows that we did not provide statistics for Win32 / Potao for 2011. This was done for the reason that during this period of time Potao was distributed by attackers as part of mass campaigns, i.e. at that time the malware was not used in targeted attacks against users. The debug versions of Potao, discovered in 2013, were also excluded from the chart data.
Using Potao in mass campaigns against users makes it look like malware like BlackEnergy or even Stuxnet. These well-known malicious programs were used by cybercriminals for targeting cyber attacks, but ultimately they became widespread, infecting those users for whom they were not designed initially. In the process of investigating malware campaigns involving Potao, we discovered that attackers used debug versions of this malware to test it before using it in targeted attacks.
The main reason for the increase in the number of Potao detections in 2014 and 2015. there was an intruder-added mechanism for infecting removable USB drives.
Fig. 2. Chronology of malicious campaigns using Potao.
To compile the above chronology, we used data from our ESET LiveGrid cloud system, as well as the timestamps of the executable PE files of the malware.
The first cyber campaign using Potao was recorded in August 2011. It was not a direct attack, as it was massive. The executable files of the malware that were used in this campaign contained the encrypted string GlobalPotao .
The propagation mechanism of Potao in this malicious campaign was rather trivial, but rather effective. Malicious droppers were distributed as attachments to phishing e-mail messages, while the MS Word document icon was used as the icon of the executable file. This disguise helps to lull the attention of users who receive such phishing messages. It should be noted that the attackers did not use any exploits to automatically install the malware. In addition to the payload, the droppers contained a fake Word document that was displayed to the user to disguise the installation of the malware into the system.
Fig. 3. A fake decoy document (bait) that the Potao dropper shows the user to disguise their installation process.
Other Potao droppers that were used in malicious campaigns in 2011 contained documents in the Armenian language. It is interesting to note that a legitimate document belonging to the Armenian Ministry of Labor and Social Affairs was used as one of the decoy documents.
Fig. 4. Legitimate decoy-document in Armenian, which was used in Potao droppers in 2011
Another malicious cyber campaign was aimed at the participants in the MMM financial pyramid by cyber criminals. Potao executables that were used in a campaign against MMM members had compile timestamps on April 27, 2012 and the campaign identifier (ID) 00km . A fake decoy document uses the pyramid entry theme.
Fig. 5. Decoy-document dropper, which was used in malicious campaigns against members of MMM.
In this malicious campaign, Potao droppers with decoy documents were found that contained random sequences of Cyrillic characters. As we discovered later, the use of documents with arbitrary character sets is a kind of calling card of this cyber group.
Fig. 6. Decoy-document, which was used in malicious campaigns against participants MMM.
The above file was named by the attackers “Report on the payment of Kovaleva Alexandra.exe”. In addition, the mmmL campaign ID of the malicious campaign confirms the use of malicious software by hackers against MMM users.
The founder of the MMM pyramid, Sergey Mavrodi, on June 19, 2012 posted on the pyramid website a warning that attackers send phishing emails on his behalf that contain a link to malware located on Dropbox.
Fig. 7. Message with a warning about malicious distribution from the founder of MMM Sergey Mavrodi.
Fig. 8. Archive with malware hosted on the Dropbox service.
The attackers used the following file names as indicated above: “Questionnaire and rules”, “anketa_i_pravila”, droppers contained a compilation mark on June 13, 2012 and the campaign ID “NMMM”.
We can assume that Potao operators used this spyware malware to spy on the participants or organizers of this financial pyramid.
In 2013, traces of Potao were found in Georgia. The executable file of the malware, which had a timestamp dated October 15, 2013, was called “Wedding_invitation.exe”. This time the decoy-document contained the text of the wedding invitation. The file name and the text of the document contained the text in English.
Fig. 9. The appearance of the decoy-document, which was used in Potao droppers, aimed at users of Georgia.
Potao in Ukraine
Before detecting an increase in Win32 / Potao activity in Ukraine in 2014, we discovered several debug versions of this malware in the fall of 2013. We can assume that the attackers tested the new version of the malware before using it in targeted cyber attacks on Ukrainian users .
Fig. 10. Fragment of the code of the debug version of the malicious program.
It is interesting to note that one of the campaign identifiers in these debug versions of Potao was the word krim (Crimea).
In March 2014, the criminal group switched to using the new distribution vector Potao. They began to use the so-called. “Landing page” for installing a malicious program. The webpage was called MNTExpress. We believe that the design of this website was taken from the website of the Russian postal service Pony Express.
Fig. 10. The appearance of the web page delivery service Pony Express.
Fig. 11. The appearance of the web page MNTExpress.
Disguising a phishing email as a mail service notification is a very common method for malicious users to spread malware. Instructions for downloading a malicious program may be located in the body of the message. However, the Potao cyber group takes a different approach. Alleged victims received SMS messages that contained a link to a web page with malware. The victim was also sent a special tracking code (tracking code), as well as the name of the recipient. This method is also another indicator of cyber attack, since, firstly, the attackers had to conduct reconnaissance and get the full name of the victim, as well as her phone number. Secondly, in order to receive the malware file, the victim needed to enter the code sent to her in an SMS message.
Fig. 12. SMS sent by hackers.
Fig. 13. One of the recipients of SMS messages from attackers is trying to get information about him in the public group of the social network vkontakte.
A similar malware distribution scenario was used by attackers as early as March 2015. This time, the attackers registered the domain WorldAirPost.com, and the design for the website was taken from the Singapore postal service. They simply replaced the Singapore Post logo with Italy Post.
Fig. 14. Appearance of a legitimate Singapore Post website.
Fig. 15. The appearance of the fake WorldAirPost.com website.
At the time of our analysis, the attackers were still active, registering another WorldAirPost.net domain in June 2015. It should be noted that MNTExpress supported two languages, Russian and English, and WorldAirPost only English. When using this website, the attackers resorted to disguising drops as an MS Excel document, not Word.
In addition, instead of displaying a decoy-document (bait), the dropper shows the user a special system message (Fig. 16).
Fig. 16. The system message displayed by the dropper to the user when launched in the system.
Since March 2015, our anti-virus laboratory has detected malicious Potao files on the computers of Ukrainian military and government organizations, as well as on computers of one of the largest Ukrainian news agencies. Distributed droppers were disguised as MS Word documents and meaningful file names were assigned to them.
Figure 17. File names of droppers that were used in cyber attacks on high-level institutions in Ukraine.
It is seen that the file names indicate their focus on the military and government institutions of Ukraine. The decopper-document of the droppers apparently was damaged (Fig. 18).
Fig. 18. Appearance of the decoy-document, which was used in Potao droppers from March 5, 2015
TrueCrypt encryption application compromise
In the process of monitoring the Potao botnet, we detected computer infections that were originally performed by other malware using suspicious websites.
We found that Win32 / Potao was installed on the system using an executable file called TrueCrypt.exe. At first glance, this was not surprising, since attackers often assign special trusted names to malicious files. However, in this case, the situation was different, since the compromised version of legitimate encryption software called TrueCrypt acted as the Potao dropper (downloader) dropper. Further investigation revealed that such a modification of TrueCrypt was distributed through the website truecryptrussia.ru. Moreover, we were able to establish the fact that the attackers used this domain name as one of the addresses of the managing C & C server. This fact leads us to the idea that this site is not legitimate, but was originally conceived by the owners to carry out malicious operations. Thus, the website itself and the software called “TrueCrypt Russia” were used to perform the following malicious functions.
- Hosting malware modification software for encrypting TrueCrypt.
- As a consequence of the first point, hosting Win32 / Potao malware.
- The website address was used as a C & C server manager for Win32 / FakeTC.
It should be noted that not every visitor to the above website will download the malicious modification TrueCrypt. The mechanism for downloading a malicious copy is organized on a selective basis. This is further evidence of the targeting of a cyber attack using Potao.
Fig. 19. Web page TrueCrypt Russia.
According to our statistics from ESET LiveGrid, this website has distributed a malicious version of the TrueCrypt software since at least June 2012. In this case, the timestamps of the malware files are from April 2012.
Georgian Cyber ​​Campaign
In confirmation of the fact that the attackers behind Potao were very active even at the time of writing this study, one of the malicious program droppers with a compilation date of July 20, 2015 can be cited. Dropper was used to compromise users in Georgia. This time the decoy document was a PDF file.
Fig. 20. An example of a decoy-document from the “Georgian dropper”.
Source: https://habr.com/ru/post/263855/
All Articles