Trojanised TrueCrypt serves up malware to Russian-speaking targets

Graham Cluley

TrueCryptUntil discontinued under mysterious circumstances last year, the open-source encryption tool TrueCrypt was pretty much the first choice for computer users looking to keep the contents of their hard drive out of the reach of unauthorised parties.

So I am fascinated to read a new technical report by Robert Lipovsky and Anton Cherepanov, security researchers at ESET, which brings to light that a Russian language version of TrueCrypt contains a secret backdoor trojan.

TrueCrypt in Russian

According to ESET, the Russian TrueCrypt website truecrypt.ru has been serving malware to visitors since at least June 2012, and timestamps attached to the malicious code binaries dates them back to April 2012.

What makes things all the more interesting is that not everyone who downloaded TrueCrypt from the site will have been infected by the malware – as whoever was behind the attack was choosing their victims carefully:

Not every download of the TrueCrypt software from the Russian website is malicious or contains a backdoor. The malicious versions of the software are served only to selected visitors, based on unknown specific criteria. This lends additional evidence to the view that the operation is run by a professional gang that selectively targets their espionage victims.

This, no doubt, helps explain why the malware distribution has gone unnoticed for so long.

ESET’s report claims that in addition to serving a trojanized version of TrueCrypt (now detected as Win32/FakeTC), the domain has also been used as a command-and-control server, sending instructions to computers infected by the backdoor.

Lipovsky and Cherepanov released their findings as part of a larger investigation into Potao, a malware campaign that has been targeting computer users in Ukraine and other post-Soviet territories such as Russia, Georgia and Belarus.

You can read the full technical report here.

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Never miss a thing. Sign up for the free GCHQ newsletter from Graham Cluley.
GET UPDATES