FakeTC

FakeTC is a backdoor Trojan that includes spyware properties. Traditionally, the attacks of this threat target specific, high-interest entities in Russia and nearby nations, including government servers with encrypted data. Users should double-check their version of TrueCrypt software for potential contamination by a version of this threat and use appropriate anti-malware solutions for removing FakeTC infections.

Unauthorized Encryption, but not in the Way that You're Thinking

Cryptography makes up a non-negligible segment of the themes in various threats that malware researchers look at, including, most obviously, the file-locking Trojans like Hidden Tear that hold digital media for ransom by encrypting it. However, 2015 has a lesson to offer on encryption's misuse playing other roles in Trojan attacks, such as that of a plausible disguise. FakeTC, a government/military-targeted Trojan, takes advantage of the victim's need for encryption software for infecting their phones and PCs.

Threat actors running the Potao campaign against targets in Russia, Belarus, but especially Ukraine, persisted for years in relative anonymity before becoming detectable by AV industry members. In 2015, they began serving FakeTC through a Russian website with a modified version of the TrueCrypt software – a public encryption utility for securing your files. The infection method included geo-filtering that sorted out undesirable downloader from targets that they wished to infect.

This tampered installer drops FakeTC, as well as TrueCrypt. The Trojan remains inert until the victim's reliability as a long-term TrueCrypt user is established, after which, FakeTC runs its data-collecting features. Along with the standard collecting of system information (OS version, file listings, etc.) for giving over to the threat actor, FakeTC also downloads files, uploads them to a Command & Control server, and executes them for purposes like installing other threats.

FakeTC demonstrated that last function in attacks that dropped Potao, a second Trojan that contaminates USB devices with corrupted executables that it disguises as documents, including an appropriate Word icon. Like FakeTC, it also harbors some data-harvesting functions, although it concentrates on password theft.

Getting a Fake Out of Your Real Encryption Program

Between its hibernating predispositions and an infection vector with limited, high-specificity targets like Ukrainian government and military employees, it's not shocking that FakeTC evaded the cyber-security industry for some time. While FakeTC's attacks are ancient history relatively, by the standards of state espionage, provide a helpful viewpoint on alternative infection strategies that threat actors are using, besides spam e-mails, for compromising a sensitive target. Malware researchers also confirm activity from FakeTC's threat actors involving SMS message-based attacks, which used fake links to postal trackers.

FakeTC's code isn't complicated particularly, but the Trojan has sufficiently invasive attacks for collecting information and running other files that make it stand in roughly equal ranks with threats like FLASHFLOOD or the Chinese Derusbi family. Symptoms of infection, besides unauthorized network activity, are minor, and users should depend on appropriate anti-malware solutions and firewall policies for their protection. System scans by the proper security products should remove FakeTC in all of its known versions, but should include any removable devices that Potao could infect.

It's worth looking into the past for reminders of what the future can hold, such as Trojans from unexpected angles. FakeTC is one of many threats that's using its victims' dependence on third-party software for a shortcut into their computers, and from there, their government networks.