http://www.welivesecurity.com/2015/07/30/operation-potao-express/
http://www.welivesecurity.com/wp-content/uploads/2015/07/Operation-Potao-Express_final_v2.pdf
TL; DR
http://www.welivesecurity.com/wp-content/uploads/2015/07/Operation-Potao-Express_final_v2.pdf
2011- July 2015
- Aka Sapotao and node69
- Group - Sandworm / Quedagh APT
- Vectors - USB, exe as doc, xls
- Victims - RU, BY, AM, GE
- Victims - MMM group, UA gov
- truecryptrussia.ru has been serving modified versions of the encryption software (Win32/FakeTC) that included a backdoor to selected targets.
- Win32/FakeTC - data theft from encrypted drives
- The Potao main DLL only takes care of its core functionality; the actual spying functions are implemented in the form of downloadable modules. The plugins are downloaded each time the malware starts, since they aren't stored on the hard drive.
- 1st Full Plugin and its export function is called Plug. Full plugins run continuously until the infected system is restarted
- 2nd Light Plugin with an export function Scan. Light plugins terminate immediately after returning a buffer with the information they harvested off the victim's machine.
- Some of the plugins were signed with a certificate issued to "Grandtorg":
- Traffic
- Strong encryption. The data sent is encapsulated using the XML-RPC protocol.
- MethodName value 10a7d030-1a61-11e3-beea-001c42e2a08b is always present in Potao traffic.
- After receiving the request the C&C server generates an RSA-2048 public key and signs this generated key with another, static RSA-2048 private key .
- In 2nd stage the malware generates a symmetric AES-256 key. This AES session key is encrypted with the newly received RSA-2048 public key and sent to the C&C server.
- The actual data exchange after the key exchange is then encrypted using symmetric cryptography, which is faster, with the AES-256 key
- The Potao malware sends an encrypted request to the server with computer ID, campaign ID, OS version, version of malware, computer name, current privileges, OS architecture (64 or 32bits) and also the name of the current process.
- Potao USB - uses social engineering, exe in the root disguised as drive icon
- Potao Anti RE - uses the MurmurHash2 algorithm for computing the hashes of the API function names.
- Potao Anti RE - encryption of strings
- Russian TrueCrypt Win32/FakeTC - The malicious program code within the otherwise functional TrueCrypt software runs in its own thread. This thread, created at the end of the Mount function, enumerates files on the mounted encrypted drive, and if certain conditions are met, it connects to the C&C server, ready to execute commands from the attackers.
- IOC https://github.com/eset/malware-ioc/tree/master/potao
| Type | SHA256 | MD5 |
|---|---|---|
| 1stVersion | 1fe6af3d704d2fc0c7acd58b069a31eec866668ec6e25f52354e6e61266db8db | 85b0e3264820008a30f17ca19332fa19 |
| 1stVersion | 2ff0941fe3514abc12484ad2853d22fd7cb36469a313b5ecb6ef0c6391cf78ab | ac854a3c91d52bfc09605506e76975ae |
| 1stVersion | 54a76f5cd5a32ed7d5fa78e5d8311bafc0de57a475bc2fddc23ee4b3510b9d44 | 3b7d88a069631111d5585b1b10cccc86 |
| 1stVersion | 76c7c67274cf5384615a120e69be3af64cc31d9c4f05ff2031120612443c8360 | d1658b792dd1569abc27966083f59d44 |
| 1stVersion | 244c181eb442fefcf1e1daf900896bee6569481c0e885e3c63efeef86cd64c55 | 0c7183d761f15772b7e9c788be601d29 |
| 1stVersion | 887a721254486263f1f3f25f3c677da62ef5c062c3afa7ef70c895bc8b17b424 | a35e48909a49334a7ebb5448a78dcff9 |
| 1stVersion | 945c594aee1b5bd0f3a72abe8f5a3df74fc6ca686887db5e40fe859e3fc90bb1 | 502f35002b1a95f1ae135baff6cff836 |
| 1stVersion | ab8d308fd59a8db8a130fcfdb6db56c4f7717877c465be98f71284bdfccdfa25 | a446ced5db1de877cf78f77741e2a804 |
| 1stVersion | b22a614a291111398657cf8d1fa64fa50ed9c66c66a0b09d08c53972c6536766 | d939a05e1e3c9d7b6127d503c025dbc4 |
| 1stVersion | fcfdcbdd60f105af1362cfeb3decbbbbe09d5fc82bde6ee8dfd846b2b844f972 | 14634d446471b9e2f55158d9ac09d0b2 |
| DebugVersion | 910f55e1c4e75696405e158e40b55238d767730c60119539b644ef3e6bc32a5d | 7263a328f0d47c76b4e103546b648484 |
| DebugVersion | c821cb34c86ec259af37c389a8f6cd635d98753576c675882c9896025a1abc53 | bdc9255df5385f534fea83b497c371c8 |
| DebugVersion | f845778c3f2e3272145621776a90f662ee9344e3ae550c76f65fd954e7277d19 | 5199fcd031987834ed3121fb316f4970 |
| Droppersfrompostalsites | 4dcf14c41b31f8accf9683917bfc9159b9178d6fe36227195fabc232909452af | 65f494580c95e10541d1f377c0a7bd49 |
| Droppersfrompostalsites | 8bc189dee0a71b3a8a1767e95cc726e13808ed7d2e9546a9d6b6843cea5eb3bd | a4b0615cb639607e6905437dd900c059 |
| Droppersfrompostalsites | 048621ecf8f25133b2b09d512bb0fe15fc274ec7cb2ccc966aeb44d7a88beb5b | 07e99b2f572b84af5c4504c23f1653bb |
| Droppersfrompostalsites | aa23a93d2fed81daacb93ea7ad633426e04fcd063ff2ea6c0af5649c6cfa0385 | 1927a80cd45f0d27b1ae034c11ddedb0 |
| Droppersfrompostalsites | c66955f667e9045ea5591ebf9b59246ad86227f174ea817d1398815a292b8c88 | 579ad4a596602a10b7cf4659b6b6909d |
| Droppersfrompostalsites | d6f126ab387f1d856672c730991573385c5746c7c84738ab97b13c897063ff4a | e64eb8b571f655b744c9154d8032caef |
| Dropperswdecoy | 61dd8b60ac35e91771d9ed4f337cd63e0aa6d0a0c5a17bb28cac59b3c21c24a9 | d755e52ba5658a639c778c22d1a906a3 |
| Dropperswdecoy | 4328b06093a4ad01f828dc837053cb058fe00f3a7fd5cfb9d1ff7feb7ebb8e32 | b4d909077aa25f31386722e716a5305c |
| Dropperswdecoy | 15760f0979f2ba1b4d991f19e8b59fc1e61632fcc88755a4d147c0f5d47965c5 | fc4b285088413127b6d827656b9d0481 |
| Dropperswdecoy | b9c285f485421177e616a148410ddc5b02e43f0af375d3141b7e829f7d487bfd | 73e7ee83133a175b815059f1af79ab1b |
| Dropperswdecoy | cf3b0d8e9a7d0ad32351ade0c52de583b5ca2f72e5af4adbf638c81f4ad8fbcb | eebbcb1ed5f5606aec296168dee39166 |
| Dropperswdecoy | dbc1b98b1df1d9c2dc8a5635682ed44a91df6359264ed63370724afa9f19c7ee | 5a24a7370f35dbdbb81adf52e769a442 |
| FakeTrueCryptextractedexe | 4c01ffcc90e6271374b34b252fefb5d6fffda29f6ad645a879a159f78e095979 | b64dbe5817b24d17a0404e9b2606ad96 |
| FakeTrueCryptextractedexe | 5de8c04a77e37dc1860da490453085506f8aa378fbc7d811128694d8581b89ba | 7ca6101c2ae4838fbbd7ceb0b2354e43 |
| FakeTrueCryptextractedexe | 73aae05fab96290cabbe4b0ec561d2f6d79da71834509c4b1f4b9ae714159b42 | f64704ed25f4c728af996eee3ee85411 |
| FakeTrueCryptextractedexe | c7212d249b5eb7e2cea948a173ce96e1d2b8c44dcc2bb1d101dce64bb3f5becc | c1f715ff0afc78af81d215d485cc235c |
| FakeTrueCryptSetup | 42028874fae37ad9dc89eb37149ecb1e6439869918309a07f056924c1b981def | f34b77f7b2233ee6f727d59fb28f438a |
| FakeTrueCryptSetup | a3a43bbc69e24c0bc3ab06fbf3ccc35cf8687e2862f86fb0d269258b68c710c9 | babd17701cbe876149dc07e68ec7ca4f |
| FakeTrueCryptSetup | b8844e5b72971fe67d2905e77ddaa3366ae1c3bead92be6effd58691bc1ff8ec | cfc8901fe6a9a8299087bfc73ae8909e |
| FakeTrueCryptSetup | fe3547f0e052c71f872bf09cdc1654137ee68f878fc6d5a78df16a13e6de1768 | 83f3ec97a95595ebe40a75e94c98a7bd |
| OtherDroppers | 2de76a3c07344ce322151dbb42febdff97ade8176466a3af07e5280bd859a186 | 38e708fea8016520cb25d3cb933f2244 |
| OtherDroppers | 4e88b8b121d768c611fe16ae1f008502b2191edc6f2ee84fef7b12b4d86fe000 | 360df4c2f2b99052c07e08edbe15ab2c |
| OtherDroppers | 29dfc81b400a1400782623c618cb1d507f5d17bb13de44f123a333093648048f | 89a3ea3967745e04199ebf222494452e |
| OtherDroppers | 97afe4b12a9fed40ad20ab191ba0a577f5a46cbfb307e118a7ae69d04adc2e2d | 6ba88e8e74b12c914483c026ae92eb42 |
| OtherDroppers | 793a8ce811f423dfde47a5f44ae50e19e7e41ad055e56c7345927eac951e966b | 043f99a875424ca0023a21739dba51ef |
| OtherDroppers | 904bb2efe661f654425e691b7748556e558a636d4f25c43af9d2d4dfbe83262e | 02d438df779affddaf02ca995c60cecb |
| OtherDroppers | b62589ee5ba94d15edcf8613e3d57255dd7a12fce6d2dbd660fd7281ce6234f4 | 11b4e7ea6bae19a29343ae3ff3fb00ca |
| OtherDroppers | d2c11706736fda2b178ac388206472fd8d050e0f13568c84b37683423acd155d | 27d74523b182ae630c4e5236897e11f3 |
| OtherDroppers | f1f61a0f9488be3925665f8063006f90fab1bf0bd0b6ff5f7799f8995ff8960e | 1ab8d45656e245aca4e59aa0519f6ba0 |
| USBSpreaders | 1acae7c11fb559b81df5fc6d0df0fe502e87f674ca9f4aefc2d7d8f828ba7f5c | 76dda7ca15323fd658054e0550149b7b |
| USBSpreaders | 3d78f52fa0c08d8bf3d42074bf76ee56aa233fb9a6bc76119998d085d94368ca | ca1a3618088f91b8fb2a30c9a9aa4aca |
| USBSpreaders | 7d15bd854c1dfef847cdd3caabdf4ab81f2410ee5c7f91d377cc72eb81135ff4 | a2bb01b764491dd61fa3a7ba5afc709c |
| USBSpreaders | 09c04206b57bb8582faffb37e4ebb6867a02492ffc08268bcbc717708d1a8919 | a59053cc3f66e72540634eb7895824ac |
| USBSpreaders | 12bb18fa9a12cb89dea3733b342940b80cd453886390079cb4c2ffcd664baeda | 2bd0d2b5ee4e93717ea71445b102e38e |
| USBSpreaders | 34e6fb074284e58ca80961feda4fe651d6d658077914a528a4a6efa91ecc749d | 057028e46ea797834da401e4db7c860a |
| USBSpreaders | 90b20b1687909c2f76f750ba3fd4b14731ce736c08c3a8608d28eae3f4cd68f3 | 514423670de210f13092d6cb8916748e |
| USBSpreaders | 93accb71bf4e776955756c76990298decfebe4b1dd9fbf9d368e81dc1cb9532d | abb9f4fab64dd7a03574abdd1076b5ea |
| USBSpreaders | 99a09ad92cc1a2564f3051057383cb6268893bc4a62903eabf3538c6bfb3aa9c | 542b00f903f945ad3a9291cb0af73446 |
| USBSpreaders | 339a5199e6d0b5f781b08b2ca0ad0495e75e52b8e2fd69e1d970388fbca7a0d6 | a427ff7abb17af6cf5fb70c49e9bf4e1 |
| USBSpreaders | 340b09d661a6ac45af53c348a5c1846ad6323d34311e66454e46c1d38d53af8b | 2646f7159e1723f089d63e08c8bfaffb |
| USBSpreaders | 461dd5a58ffcad9fffba9181e234f2e0149c8b8ba28c7ea53753c74fdfa0b0d5 | 609abb2a86c324bbb9ba1e253595e573 |
| USBSpreaders | 4688afcc161603bfa1c997b6d71b9618be96f9ff980e5486c451b1cc2c5076cb | ae552fc43f1ba8684655d8bf8c6af869 |
| USBSpreaders | 7492e84a30e890ebe3ca5140ad547965cc8c43f0a02f66be153b038a73ee5314 | 1234bf4f0f5debc800d85c1bd2255671 |
| USBSpreaders | 61862a55dcf8212ce9dd4a8f0c92447a6c7093681c592eb937a247e38c8109d4 | e685ea8b37f707f3706d7281b8f6816a |
| USBSpreaders | 95631685006ac92b7eb0755274e2a36a3c9058cf462dd46f9f4f66e8d67b9db2 | 9179f4683ece450c1ac7a819b32bdb6d |
| USBSpreaders | b8b02cc57e45bcf500b433806e6a4f8af7f0ac0c5fc9adfd11820eebf4eb5d79 | cdc60eb93b594fb5e7e5895e2b441240 |
| USBSpreaders | e57eb9f7fdf3f0e90b1755d947f1fe7bb65e67308f1f4a8c25bc2946512934b7 | 39b67cc6dae5214328022c44f28ced8b |
| USBSpreaders | e3892d2d9f87ea848477529458d025898b24a6802eb4df13e96b0314334635d0 | 3813b848162261cc5982dd64c741b450 |
| USBSpreaders | f1d7e36af4c30bf3d680c87bbc4430de282d00323bf8ae9e17b04862af286736 | 35724e234f6258e601257fb219db9079 |
More info
- Hack Tools For Games
- Pentest Tools Alternative
- Hacker Tools Apk Download
- Pentest Tools Github
- Hacker Security Tools
- Hack Website Online Tool
- Free Pentest Tools For Windows
- Game Hacking
- Top Pentest Tools
- Pentest Tools Website Vulnerability
- Hacker Tools Windows
- Pentest Tools Tcp Port Scanner
- Best Hacking Tools 2019
- Best Hacking Tools 2019
- Hack Website Online Tool
- Pentest Tools Alternative
- Hacking Tools For Games
- Tools For Hacker
- Pentest Tools Linux
- Hacker Tools Linux
- Hacker Tools For Mac
- Pentest Tools For Mac
- Hacker Tools Github
- Hacking Tools Download
- Computer Hacker
- Best Pentesting Tools 2018
- Hack Tools Pc
- Hacker Tools Apk
- Hack Tools 2019
- Pentest Reporting Tools
- Pentest Tools Linux
- Hacker Tools For Mac
- Nsa Hack Tools Download
- Growth Hacker Tools
- Hacker Tools Free
- Hack Tools Online
- Hacker Tools For Mac
- Hack Tool Apk
- Hacking Tools For Kali Linux
- What Are Hacking Tools
- Hack Tool Apk No Root
- Pentest Tools Open Source
- Black Hat Hacker Tools
- Pentest Tools Free
- Tools For Hacker
- Pentest Tools Tcp Port Scanner
- Hacker Security Tools
- What Are Hacking Tools
- Hacking Tools Github
- Hacker Security Tools
- Pentest Tools Website Vulnerability
- How To Hack
- Hacks And Tools
- How To Make Hacking Tools
- Pentest Tools Alternative
- Hacker Tools List
- Hacker Tools List
- Hacker Tools
- Hacking Tools Kit
- Ethical Hacker Tools
- Hack Tools For Mac
- Hacker Tools Windows
- Hacker Hardware Tools
- Hacking Tools For Kali Linux
- Hacking Tools Name
- Pentest Tools Kali Linux
- Hack Tools Github
- Pentest Tools Github
- Easy Hack Tools
- Best Hacking Tools 2020
- Hack Website Online Tool
- Pentest Tools For Ubuntu
- Pentest Tools Website
- Hacker Tools Free
- What Are Hacking Tools
- What Are Hacking Tools
- Hacking Tools Hardware
- Best Hacking Tools 2019
- Hack Tools For Ubuntu
- Hacking Apps
- Hack Rom Tools
- Hacking Tools For Pc
- Hack Tools For Mac
- Pentest Tools For Mac
- Nsa Hack Tools
- Pentest Tools Windows
- Hacker Tools Github
- Hack Website Online Tool
- Hack Tools Pc
- New Hacker Tools
- Hack Tools
- Hacking Tools Github
- Hacker Tools Mac
- Android Hack Tools Github
- Pentest Tools For Android
No comments:
Post a Comment
All comments are welcome, but if you choose to comment using the "anonymous" button, please be sure to include your name at the end. All TRULY anonymous comments will be deleted. Thanks for your understanding...Blaine (aka 5KidMom)