Trojanised TrueCrypt serves up malware to Russian-speaking targets


TrueCryptUntil discontinued under mysterious circumstances last year, the open-source encryption tool TrueCrypt was pretty much the first choice for computer users looking to keep the contents of their hard drive out of the reach of unauthorised parties.

So I am fascinated to read a new technical report by Robert Lipovsky and Anton Cherepanov, security researchers at ESET, which brings to light that a Russian language version of TrueCrypt contains a secret backdoor trojan.

TrueCrypt in Russian

According to ESET, the Russian TrueCrypt website has been serving malware to visitors since at least June 2012, and timestamps attached to the malicious code binaries dates them back to April 2012.

What makes things all the more interesting is that not everyone who downloaded TrueCrypt from the site will have been infected by the malware - as whoever was behind the attack was choosing their victims carefully:

Not every download of the TrueCrypt software from the Russian website is malicious or contains a backdoor. The malicious versions of the software are served only to selected visitors, based on unknown specific criteria. This lends additional evidence to the view that the operation is run by a professional gang that selectively targets their espionage victims.

This, no doubt, helps explain why the malware distribution has gone unnoticed for so long.

ESET’s report claims that in addition to serving a trojanized version of TrueCrypt (now detected as Win32/FakeTC), the domain has also been used as a command-and-control server, sending instructions to computers infected by the backdoor.

Lipovsky and Cherepanov released their findings as part of a larger investigation into Potao, a malware campaign that has been targeting computer users in Ukraine and other post-Soviet territories such as Russia, Georgia and Belarus.

You can read the full technical report here.

Tags: , , ,

Share this article:

   Join thousands of others and sign up to our free "GCHQ" newsletter.

Smashing Security podcast
Check out "Smashing Security", the award-winning weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"It's brilliant!" • "Three people having fun in an industry often focused on bad news" • Winner of the Best Security Podcast 2018

Latest episodes:
Listen on Apple Podcasts Listen on Google Podcasts

, , ,

No comments yet.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.