Potao Express
The Potao Express is a series of campaigns and their associated threat actor that targets post-Soviet nations, especially Ukraine. Its attacks, although limited in technical sophistication, deliver backdoor Trojans that are capable of handing system control and information over to an attacker. In particular, TrueCrypt software users should analyze their PCs with anti-malware solutions for potential compromises related to this threat, and remove the Potao Express's Trojans during the scans, if appropriate.
The Express Lane from Encryption to Trojanization
Although espionage that uses Trojan arsenals can evade detection by high-sophistication programming, some criminals use other methods of keeping their heads below the cyber-security sector's radars. For example, the Potao Express's campaigns and are some of the most high-profile cases of a low-profile series of Trojan attacks. Although they deliver in-house, custom threats to their targets, they've avoided detection for years, due to incredibly narrow and specific targeting methods.
Elaborating on the Potao Express's methodology, also, requires mentioning TrueCrypt, a normally-legitimate application. This encryption and data security tool is the threat actor's favorite infection vector, which uses compromised TrueCrypt Installers for dropping other threats, including FakeTC, which delivers Potao, in kind. However, conditionals in the infection technique withhold the Trojan distribution and full payload, unless the target is a subject that's of interest to the Potao Express.
Concerning Potao and FakeTC, malware researchers categorize the former as being a backdoor Trojan, enabling remote administration over the PC. Both of them also are spyware and will collect information for passing over to attackers. However, only Potao includes the worm-like feature of compromising USB removable devices, which it does by hiding its EXEs with the icons of Word documents.
Slowing Down an Express Trojan Delivery System
Although Potao and FakeTC aren't well-programmed or complex extremely, they offer the Potao Express hackers significant access to the filesystem. Ordinarily, only long-term TrueCrypt users are favorite targets that are at risk. Of special note is the fact that the Potao Express also operates in Russia, and not just Russian-neighboring nations, and that one of its domains serving FakeTC uses the traditional Russian domain suffix.
There is a complete list of potential indicators of compromise available for free, although most users shouldn't attempt manually-identifying spyware or backdoor Trojans by themselves. The traditional infection procedure also installs a 'normal' and functional version of the TrueCrypt application, showing no signs of the attack. Accordingly, users should have their anti-malware products updated and prepared for detecting threats and removing the Potao Express Trojans on a case-by-case basis.
With years of essentially-invisible operations under their belt, it's difficult to criticize the Potao Express tactics. Investing in resource-heavy programming ops can, sometimes, be wasteful – when more straightforward techniques get the job done, with the help of a victim's visiting corrupted software-serving websites.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.