Friday, 31 July 2015

Infected Version TrueCrypt Used For Cyber Spying


A Russian website has years of an infected version of the popular encryption program TrueCrypt offered, which in reality turned out to be a Trojan horse that has been used for cyber-espionage. That leaves the Slovak anti-virus company ESET in a report published today ( pdf ) know.

The website was a truecryptrussia.ru offered in Russian translated version of TrueCrypt. Visitors who met but were offered an infected version specific criteria. What criteria were precisely known. Once installed on the system was also installed a backdoor that allows the attackers had full control over the computer. At least since June 2012 was offered via truecryptrussia.ru malware.

As a select number of victims were attacked in this way, could also backed by long time undetected, according to ESET. The TrueCrypt website also served as Command & Control domain. Communication between the attackers and infected computers ran through the website. Researchers also think the site was managed by the attackers and that it is not a hacked website.

Apart from the TrueCrypt website spread the malware, called Potao, also via e-mail attachments and USB sticks. This was done on a simple but effective way. The malware placed himself on the USB stick and made all other files invisible. In addition, the malware got the name of the USB stick and a disk icon. Users would have thought that it was a disk or shortcut while they opened the malware in reality.

Most targets of the malware were located in the Ukraine. It was among other things the Ukrainian government, the Ukrainian army and a major Ukrainian news agency. Members of the Russian and Ukrainian popular pyramid games were spied by the malware. So were victims of infectious TrueCrypt version mainly in Russia.

SHA1 hashes: Early Potao versions: 

8839D3E213717B88A06FFC48827929891A10059E
5C52996D9F68BA6FD0DA4982F238EC1D279A7F9D 
CE7F96B400ED51F7FAB465DEA26147984F2627BD 
D88C7C1E465BEA7BF7377C08FBA3AAF77CBF485F 
81EFB422ED2631C739CC690D0A9A5EAA07897531 
18DDCD41DCCFBBD904347EA75BC9413FF6DC8786 
E400E1DD983FD94E29345AABC77FADEB3F43C219 
EB86615F539E35A8D3E4838949382D09743502BF 
52E59CD4C864FBFC9902A144ED5E68C9DED45DEB 
642BE4B2A87B47E77814744D154094392E413AB1 

Debug versions: 

BA35EDC3143AD021BB2490A3EB7B50C06F2EA40B 
9D584DE2CCE6B654E62573938C2C824D7CC7D0EB 
73A4A6864EF68C810C7C699ED51B759CF1C4ADFB 
1B3437C06CF917920688B25DA0345749AA1A4A46 

Droppers with decoy documents: 

FBB399568E0A3B2E461A4EB3268ABDF07F3D5764 
4D5E0808A03A75BFE8202E3A6D2920EDDBFC7774 
BCC5A0CE0BCDFEA2FD1D64B5529EAC7309488273 
F8BCDAD02DA2E0223F45F15DA4FBAB053E73CF6E 
2CDD6AABB71FDB244BAA313EBBA13F06BCAD2612 
9BE3800B49E84E0C014852977557F21BCDE2A775 
4AC999A1C54AE6F54803023DC0FCF126CB77C854 
59C07E5D69181E6C3AFA7593E26D33383722D6C5 
E15834263F2A6CCAE07D106A71B99FE80A5F744B 
A62E69EF1E4F4D48E2920572B9176AEDB0EEB1C6 
900AD432B4CB2F2790FFEB0590B0A8348D9E60EB 
856802E0BD4A774CFFFE5134D249508D89DCDA58 
A655020D606CA180E056A5B2C2F72F94E985E9DB 
04DE076ACF5394375B8886868448F63F7E1B4DB9 31 

Droppers from postal websites:

94BBF39FFF09B3A62A583C7D45A00B2492102DD7 
F347DA9AAD52B717641AD3DD96925AB634CEB572 
A4D685FCA8AFE9885DB75282516006F5BC56C098 
CC9BDBE37CBAF0CC634076950FD32D9A377DE650 
B0413EA5C5951C57EA7201DB8BB1D8C5EF42AA1E 
0AE4E6E6FA1B1F8161A74525D4CB5A1808ABFAF4 
EC0563CDE3FFAFF424B97D7EB692847132344127 
639560488A75A9E3D35E4C0D9C4934295072DD89 

USB-spreaders:

850C9F3B14F895AAA97A85AE147F07C9770FB4C7 
BB0500A24853E404AD6CA708813F926B90B38468 
71A5DA3CCB4347FE785C6BFFF7B741AF80B76091 
7664C490160858EC8CFC8203F88D354AEA1CFE43 
92A459E759320447E1FA7B0E48328AB2C20B2C64 
BB7A089BAE3A4AF44FB9B053BB703239E03C036E 
DB966220463DB87C2C51C19303B3A20F4577D632 
37A3E77BFA6CA1AFBD0AF7661655815FB1D3DA83 
181E9BCA23484156CAE005F421629DA56B5CC6B5 
A96B3D31888D267D7488417AFE68671EB4F568BD 
224A07F002E8DFB3F2B615B3FA71166CF1A61B6D 
5D4724FBA02965916A15A50A6937CDB6AB609FDD 
8BE74605D90ED762310241828340900D4B502358 
5BE1AC1515DA2397A7C52A8B1DF384DD938FA714 
56F6AC6197CE9CC774F72DF948B414EED576B6C3 
F6F290A95D68373DA813782EF4723E39524D048B 
48904399F7726B9ADF7F28C07B0599717F741B8B 
791ECF11C04470E9EA881549AEBD1DDED3E4A5CA 
E2B2B2C8FB1996F3A4A4E3CEE09028437A5284AE 
5B30ECFD47988A77556FE6C0C0B950510052C91E 
4EE82934F24E348696F1C813C24797618286A70C 
B80A90B39FBA705F86676C5CC3E0DECA225D57FF 
971A69547C5BC9B711A3BB6F6F2C5E3A46BF7B29 
C1D8BE765ADCF76E5CCB2CF094191C0FEC4BF085 
2531F40A1D9E50793D04D245FD6185AAEBCC54F4

32 Other droppers:

D8837002A04F4C93CC3B857F6A42CED6C9F3B882 
BA5AD566A28D7712E0A64899D4675C06139F3FF0 
FF6F6DCBEDC24D22541013D2273C63B5F0F19FE9 
76DA7B4ABC9B711AB1EF87B97C61DD895E508232 
855CA024AFBA0DC09D336A0896318D5CC47F03A6 
12240271E928979AB2347C29B5599D6AC7CD6B8E 
A9CB079EF49CEE35BF68AC80534CBFB5FA443780 
1B278A1A5E109F32B526660087AEA99FB8D89403 
4332A5AD314616D9319C248D41C7D1A709124DB2 
5BEA9423DB6D0500920578C12CB127CBAFDD125E 

Plugins: 

2341139A0BC4BB80F5EFCE63A97AA9B5E818E79D 
8BD2C45DE1BA7A7FD27E43ABD35AE30E0D5E03BC 
54FEDCDB0D0F47453DD65373378D037844E813D0 
CC3ECFB822D09CBB37916D7087EB032C1EE81AEE 
F1C9BC7B1D3FD3D9D96ECDE3A46DFC3C33BBCD2B 
9654B6EA49B7FEC4F92683863D10C045764CCA86 
526C3263F63F9470D08C6BA23E68F030E76CAAF3 
E6D2EF05CEDCD4ABF1D8E3BCAF48B768EAC598D7 
CEBAB498E6FB1A324C84BA267A7BF5D9DF1CF264 
324B65C4291696D5C6C29B299C2849261F816A08 
C96C29252E24B3EEC5A21C29F7D9D30198F89232 
CDDDE7D44EFE12B7252EA300362CF5898BDC5013 
84A70CDC24B68207F015D6308FE5AD13DDABB771 

Fake TrueCrypt setup: 

82F48D7787BDE5B7DEC046CBEF99963EEEB821A7 
9666AF44FAFC37E074B79455D347C2801218D9EA 
C02878A69EFDE20F049BC380DAE10133C32E9CC9 
7FBABEA446206991945FB4586AEE93B61AF1B341 

Fake TrueCrypt extracted exe: 

DCBD43CFE2F490A569E1C3DD6BCA6546074FD2A1 
422B350371B3666A0BD0D56AEAAD5DEC6BD7C0D0 
88D703ADDB26ACB7FBE35EC04D7B1AA6DE982241 
86E3276B03F9B92B47D441BCFBB913C6C4263BFE

No comments:

Post a Comment