http://www.welivesecurity.com/2015/07/30/operation-potao-express/
http://www.welivesecurity.com/wp-content/uploads/2015/07/Operation-Potao-Express_final_v2.pdf
TL; DR
http://www.welivesecurity.com/wp-content/uploads/2015/07/Operation-Potao-Express_final_v2.pdf
2011- July 2015
- Aka Sapotao and node69
- Group - Sandworm / Quedagh APT
- Vectors - USB, exe as doc, xls
- Victims - RU, BY, AM, GE
- Victims - MMM group, UA gov
- truecryptrussia.ru has been serving modified versions of the encryption software (Win32/FakeTC) that included a backdoor to selected targets.
- Win32/FakeTC - data theft from encrypted drives
- The Potao main DLL only takes care of its core functionality; the actual spying functions are implemented in the form of downloadable modules. The plugins are downloaded each time the malware starts, since they aren't stored on the hard drive.
- 1st Full Plugin and its export function is called Plug. Full plugins run continuously until the infected system is restarted
- 2nd Light Plugin with an export function Scan. Light plugins terminate immediately after returning a buffer with the information they harvested off the victim's machine.
- Some of the plugins were signed with a certificate issued to "Grandtorg":
- Traffic
- Strong encryption. The data sent is encapsulated using the XML-RPC protocol.
- MethodName value 10a7d030-1a61-11e3-beea-001c42e2a08b is always present in Potao traffic.
- After receiving the request the C&C server generates an RSA-2048 public key and signs this generated key with another, static RSA-2048 private key .
- In 2nd stage the malware generates a symmetric AES-256 key. This AES session key is encrypted with the newly received RSA-2048 public key and sent to the C&C server.
- The actual data exchange after the key exchange is then encrypted using symmetric cryptography, which is faster, with the AES-256 key
- The Potao malware sends an encrypted request to the server with computer ID, campaign ID, OS version, version of malware, computer name, current privileges, OS architecture (64 or 32bits) and also the name of the current process.
- Potao USB - uses social engineering, exe in the root disguised as drive icon
- Potao Anti RE - uses the MurmurHash2 algorithm for computing the hashes of the API function names.
- Potao Anti RE - encryption of strings
- Russian TrueCrypt Win32/FakeTC - The malicious program code within the otherwise functional TrueCrypt software runs in its own thread. This thread, created at the end of the Mount function, enumerates files on the mounted encrypted drive, and if certain conditions are met, it connects to the C&C server, ready to execute commands from the attackers.
- IOC https://github.com/eset/malware-ioc/tree/master/potao
| Type | SHA256 | MD5 |
|---|---|---|
| 1stVersion | 1fe6af3d704d2fc0c7acd58b069a31eec866668ec6e25f52354e6e61266db8db | 85b0e3264820008a30f17ca19332fa19 |
| 1stVersion | 2ff0941fe3514abc12484ad2853d22fd7cb36469a313b5ecb6ef0c6391cf78ab | ac854a3c91d52bfc09605506e76975ae |
| 1stVersion | 54a76f5cd5a32ed7d5fa78e5d8311bafc0de57a475bc2fddc23ee4b3510b9d44 | 3b7d88a069631111d5585b1b10cccc86 |
| 1stVersion | 76c7c67274cf5384615a120e69be3af64cc31d9c4f05ff2031120612443c8360 | d1658b792dd1569abc27966083f59d44 |
| 1stVersion | 244c181eb442fefcf1e1daf900896bee6569481c0e885e3c63efeef86cd64c55 | 0c7183d761f15772b7e9c788be601d29 |
| 1stVersion | 887a721254486263f1f3f25f3c677da62ef5c062c3afa7ef70c895bc8b17b424 | a35e48909a49334a7ebb5448a78dcff9 |
| 1stVersion | 945c594aee1b5bd0f3a72abe8f5a3df74fc6ca686887db5e40fe859e3fc90bb1 | 502f35002b1a95f1ae135baff6cff836 |
| 1stVersion | ab8d308fd59a8db8a130fcfdb6db56c4f7717877c465be98f71284bdfccdfa25 | a446ced5db1de877cf78f77741e2a804 |
| 1stVersion | b22a614a291111398657cf8d1fa64fa50ed9c66c66a0b09d08c53972c6536766 | d939a05e1e3c9d7b6127d503c025dbc4 |
| 1stVersion | fcfdcbdd60f105af1362cfeb3decbbbbe09d5fc82bde6ee8dfd846b2b844f972 | 14634d446471b9e2f55158d9ac09d0b2 |
| DebugVersion | 910f55e1c4e75696405e158e40b55238d767730c60119539b644ef3e6bc32a5d | 7263a328f0d47c76b4e103546b648484 |
| DebugVersion | c821cb34c86ec259af37c389a8f6cd635d98753576c675882c9896025a1abc53 | bdc9255df5385f534fea83b497c371c8 |
| DebugVersion | f845778c3f2e3272145621776a90f662ee9344e3ae550c76f65fd954e7277d19 | 5199fcd031987834ed3121fb316f4970 |
| Droppersfrompostalsites | 4dcf14c41b31f8accf9683917bfc9159b9178d6fe36227195fabc232909452af | 65f494580c95e10541d1f377c0a7bd49 |
| Droppersfrompostalsites | 8bc189dee0a71b3a8a1767e95cc726e13808ed7d2e9546a9d6b6843cea5eb3bd | a4b0615cb639607e6905437dd900c059 |
| Droppersfrompostalsites | 048621ecf8f25133b2b09d512bb0fe15fc274ec7cb2ccc966aeb44d7a88beb5b | 07e99b2f572b84af5c4504c23f1653bb |
| Droppersfrompostalsites | aa23a93d2fed81daacb93ea7ad633426e04fcd063ff2ea6c0af5649c6cfa0385 | 1927a80cd45f0d27b1ae034c11ddedb0 |
| Droppersfrompostalsites | c66955f667e9045ea5591ebf9b59246ad86227f174ea817d1398815a292b8c88 | 579ad4a596602a10b7cf4659b6b6909d |
| Droppersfrompostalsites | d6f126ab387f1d856672c730991573385c5746c7c84738ab97b13c897063ff4a | e64eb8b571f655b744c9154d8032caef |
| Dropperswdecoy | 61dd8b60ac35e91771d9ed4f337cd63e0aa6d0a0c5a17bb28cac59b3c21c24a9 | d755e52ba5658a639c778c22d1a906a3 |
| Dropperswdecoy | 4328b06093a4ad01f828dc837053cb058fe00f3a7fd5cfb9d1ff7feb7ebb8e32 | b4d909077aa25f31386722e716a5305c |
| Dropperswdecoy | 15760f0979f2ba1b4d991f19e8b59fc1e61632fcc88755a4d147c0f5d47965c5 | fc4b285088413127b6d827656b9d0481 |
| Dropperswdecoy | b9c285f485421177e616a148410ddc5b02e43f0af375d3141b7e829f7d487bfd | 73e7ee83133a175b815059f1af79ab1b |
| Dropperswdecoy | cf3b0d8e9a7d0ad32351ade0c52de583b5ca2f72e5af4adbf638c81f4ad8fbcb | eebbcb1ed5f5606aec296168dee39166 |
| Dropperswdecoy | dbc1b98b1df1d9c2dc8a5635682ed44a91df6359264ed63370724afa9f19c7ee | 5a24a7370f35dbdbb81adf52e769a442 |
| FakeTrueCryptextractedexe | 4c01ffcc90e6271374b34b252fefb5d6fffda29f6ad645a879a159f78e095979 | b64dbe5817b24d17a0404e9b2606ad96 |
| FakeTrueCryptextractedexe | 5de8c04a77e37dc1860da490453085506f8aa378fbc7d811128694d8581b89ba | 7ca6101c2ae4838fbbd7ceb0b2354e43 |
| FakeTrueCryptextractedexe | 73aae05fab96290cabbe4b0ec561d2f6d79da71834509c4b1f4b9ae714159b42 | f64704ed25f4c728af996eee3ee85411 |
| FakeTrueCryptextractedexe | c7212d249b5eb7e2cea948a173ce96e1d2b8c44dcc2bb1d101dce64bb3f5becc | c1f715ff0afc78af81d215d485cc235c |
| FakeTrueCryptSetup | 42028874fae37ad9dc89eb37149ecb1e6439869918309a07f056924c1b981def | f34b77f7b2233ee6f727d59fb28f438a |
| FakeTrueCryptSetup | a3a43bbc69e24c0bc3ab06fbf3ccc35cf8687e2862f86fb0d269258b68c710c9 | babd17701cbe876149dc07e68ec7ca4f |
| FakeTrueCryptSetup | b8844e5b72971fe67d2905e77ddaa3366ae1c3bead92be6effd58691bc1ff8ec | cfc8901fe6a9a8299087bfc73ae8909e |
| FakeTrueCryptSetup | fe3547f0e052c71f872bf09cdc1654137ee68f878fc6d5a78df16a13e6de1768 | 83f3ec97a95595ebe40a75e94c98a7bd |
| OtherDroppers | 2de76a3c07344ce322151dbb42febdff97ade8176466a3af07e5280bd859a186 | 38e708fea8016520cb25d3cb933f2244 |
| OtherDroppers | 4e88b8b121d768c611fe16ae1f008502b2191edc6f2ee84fef7b12b4d86fe000 | 360df4c2f2b99052c07e08edbe15ab2c |
| OtherDroppers | 29dfc81b400a1400782623c618cb1d507f5d17bb13de44f123a333093648048f | 89a3ea3967745e04199ebf222494452e |
| OtherDroppers | 97afe4b12a9fed40ad20ab191ba0a577f5a46cbfb307e118a7ae69d04adc2e2d | 6ba88e8e74b12c914483c026ae92eb42 |
| OtherDroppers | 793a8ce811f423dfde47a5f44ae50e19e7e41ad055e56c7345927eac951e966b | 043f99a875424ca0023a21739dba51ef |
| OtherDroppers | 904bb2efe661f654425e691b7748556e558a636d4f25c43af9d2d4dfbe83262e | 02d438df779affddaf02ca995c60cecb |
| OtherDroppers | b62589ee5ba94d15edcf8613e3d57255dd7a12fce6d2dbd660fd7281ce6234f4 | 11b4e7ea6bae19a29343ae3ff3fb00ca |
| OtherDroppers | d2c11706736fda2b178ac388206472fd8d050e0f13568c84b37683423acd155d | 27d74523b182ae630c4e5236897e11f3 |
| OtherDroppers | f1f61a0f9488be3925665f8063006f90fab1bf0bd0b6ff5f7799f8995ff8960e | 1ab8d45656e245aca4e59aa0519f6ba0 |
| USBSpreaders | 1acae7c11fb559b81df5fc6d0df0fe502e87f674ca9f4aefc2d7d8f828ba7f5c | 76dda7ca15323fd658054e0550149b7b |
| USBSpreaders | 3d78f52fa0c08d8bf3d42074bf76ee56aa233fb9a6bc76119998d085d94368ca | ca1a3618088f91b8fb2a30c9a9aa4aca |
| USBSpreaders | 7d15bd854c1dfef847cdd3caabdf4ab81f2410ee5c7f91d377cc72eb81135ff4 | a2bb01b764491dd61fa3a7ba5afc709c |
| USBSpreaders | 09c04206b57bb8582faffb37e4ebb6867a02492ffc08268bcbc717708d1a8919 | a59053cc3f66e72540634eb7895824ac |
| USBSpreaders | 12bb18fa9a12cb89dea3733b342940b80cd453886390079cb4c2ffcd664baeda | 2bd0d2b5ee4e93717ea71445b102e38e |
| USBSpreaders | 34e6fb074284e58ca80961feda4fe651d6d658077914a528a4a6efa91ecc749d | 057028e46ea797834da401e4db7c860a |
| USBSpreaders | 90b20b1687909c2f76f750ba3fd4b14731ce736c08c3a8608d28eae3f4cd68f3 | 514423670de210f13092d6cb8916748e |
| USBSpreaders | 93accb71bf4e776955756c76990298decfebe4b1dd9fbf9d368e81dc1cb9532d | abb9f4fab64dd7a03574abdd1076b5ea |
| USBSpreaders | 99a09ad92cc1a2564f3051057383cb6268893bc4a62903eabf3538c6bfb3aa9c | 542b00f903f945ad3a9291cb0af73446 |
| USBSpreaders | 339a5199e6d0b5f781b08b2ca0ad0495e75e52b8e2fd69e1d970388fbca7a0d6 | a427ff7abb17af6cf5fb70c49e9bf4e1 |
| USBSpreaders | 340b09d661a6ac45af53c348a5c1846ad6323d34311e66454e46c1d38d53af8b | 2646f7159e1723f089d63e08c8bfaffb |
| USBSpreaders | 461dd5a58ffcad9fffba9181e234f2e0149c8b8ba28c7ea53753c74fdfa0b0d5 | 609abb2a86c324bbb9ba1e253595e573 |
| USBSpreaders | 4688afcc161603bfa1c997b6d71b9618be96f9ff980e5486c451b1cc2c5076cb | ae552fc43f1ba8684655d8bf8c6af869 |
| USBSpreaders | 7492e84a30e890ebe3ca5140ad547965cc8c43f0a02f66be153b038a73ee5314 | 1234bf4f0f5debc800d85c1bd2255671 |
| USBSpreaders | 61862a55dcf8212ce9dd4a8f0c92447a6c7093681c592eb937a247e38c8109d4 | e685ea8b37f707f3706d7281b8f6816a |
| USBSpreaders | 95631685006ac92b7eb0755274e2a36a3c9058cf462dd46f9f4f66e8d67b9db2 | 9179f4683ece450c1ac7a819b32bdb6d |
| USBSpreaders | b8b02cc57e45bcf500b433806e6a4f8af7f0ac0c5fc9adfd11820eebf4eb5d79 | cdc60eb93b594fb5e7e5895e2b441240 |
| USBSpreaders | e57eb9f7fdf3f0e90b1755d947f1fe7bb65e67308f1f4a8c25bc2946512934b7 | 39b67cc6dae5214328022c44f28ced8b |
| USBSpreaders | e3892d2d9f87ea848477529458d025898b24a6802eb4df13e96b0314334635d0 | 3813b848162261cc5982dd64c741b450 |
| USBSpreaders | f1d7e36af4c30bf3d680c87bbc4430de282d00323bf8ae9e17b04862af286736 | 35724e234f6258e601257fb219db9079 |
More information
- Hack And Tools
- Hacker Tools Apk
- Hacker Tools Windows
- Pentest Tools Kali Linux
- Hak5 Tools
- Hacking Tools Mac
- Hack Tools For Windows
- Hacker Tools Free
- Hacking Tools
- Pentest Tools Bluekeep
- Hacker Tools For Windows
- Growth Hacker Tools
- Hacking Tools Github
- Pentest Tools For Android
- Hacker Tools For Ios
- Android Hack Tools Github
- Hacking Tools Pc
- Hacker Search Tools
- Bluetooth Hacking Tools Kali
- Hacker Security Tools
- Hacking Tools Download
- Hacker Tools For Windows
- What Are Hacking Tools
- Hacking Tools For Beginners
- Pentest Tools For Windows
- Hacking Tools Download
- Ethical Hacker Tools
- Hack Tools Mac
- Hacking Tools And Software
- How To Hack
- Hacker Tools For Pc
- Computer Hacker
- Kik Hack Tools
- Hack Tools Online
- How To Install Pentest Tools In Ubuntu
- Game Hacking
- Best Hacking Tools 2019
- Hacking Tools Name
- World No 1 Hacker Software
- Kik Hack Tools
- Best Hacking Tools 2020
- Computer Hacker
- Pentest Tools Framework
- Bluetooth Hacking Tools Kali
- Game Hacking
- Ethical Hacker Tools
- Pentest Tools For Android
- Hacking Tools Mac
- Pentest Tools Windows
- Pentest Tools Apk
- World No 1 Hacker Software
- Hacking Tools
- Hacking Tools For Mac
- Pentest Tools Open Source
- Hacker Security Tools
- Pentest Tools Windows
- Pentest Tools Port Scanner
- Termux Hacking Tools 2019
- Hack Tools Download
- Hacking Tools For Kali Linux
- Hack Tools
- Pentest Tools
- Beginner Hacker Tools
- Hacking Tools Mac
- Wifi Hacker Tools For Windows
- Growth Hacker Tools
- Hack Tools
- Termux Hacking Tools 2019
- Hacker Tools 2020
- Hack App
- Pentest Tools Apk
- Hacker Tools Mac
- Hacking Tools For Pc
- Hacker Tools Hardware
- How To Make Hacking Tools
- How To Make Hacking Tools
- Pentest Tools Website
- Hacking Tools For Windows 7
- Hackers Toolbox
- Pentest Tools Website
- Pentest Tools Framework
- Pentest Tools Review
- Hacker Tools List
- Hacking Tools Download
- Hack Tools 2019
- Nsa Hacker Tools
- Best Hacking Tools 2020
- Pentest Tools For Windows
- Hacker Tools 2020
- Hacking Tools Github
- Pentest Tools Tcp Port Scanner
- Nsa Hack Tools Download
- Hacking Tools For Windows
- New Hacker Tools
- Hacker Tools Free Download
- Best Hacking Tools 2020
- Pentest Tools Alternative
- Hacker Tool Kit
- Hacking Tools For Windows 7
- Hacking Tools Download
- Best Pentesting Tools 2018
- Pentest Tools Bluekeep
- Hacking App
- Hack Tools For Pc
- Hacking Tools 2019
- Hacker Tools Mac
- Hacking Tools For Windows Free Download
- Pentest Tools Tcp Port Scanner
- Hack Tools Mac
- Hacker Tools Hardware
- Hack Website Online Tool
- Pentest Box Tools Download
- Best Hacking Tools 2019
- Usb Pentest Tools
- Hacker Tools Apk
- Hacking Tools Github
- Hacking Tools Github
- Hacker Tools Free Download
- Hack Tool Apk No Root
No comments:
Post a Comment