Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
SECRE
T//
NOFORN
Pique Analysis Report
20150814-260-Eset Potao
Ra
y
theon Blackbird Technolo
g
i
es,
Inc. 1 14 Au
g
2015
Use or disclosure of data contained on this sheet is su
bje
ct to the restrictions on the title
page
of this document.
SECRE
T//
NOFORN
1.0 (U) Analysis Summary
(S//NF) The following report discusses malware used in the Operation Potao Express Campaign
first seen in 2011. The campaign uses the Potao malware family with many similarities to the
BlackEnergy malware. The attackers have also used a trojanized version of Truecrypt to infect
computers. In both cases the malware required user interaction/installation to activate.
(S//NF) The Potao malware was delivered through executable email attachments appearing as
word documents, wedding invitations, and postal tracking links sent via email or SMS messages.
These links directed victims to malicious landing pages to infect victim computers. In the case of
the trojanized version of Truecrypt the executable was delivered through a Russian software
download website.
(S//NF) The malware was installed using a two stage dropper methodology. Before the final
DLL is dropped however the name of the Enter export function is patched to be the LUID value
and therefore each dropped instance of the DLL will have a unique binary hash. Once dropped it
maintains persistence through the creation of a registry key.
(S//NF) The Potao Trojan is a modular architecture which injects itself into the explorer.exe
process. It does not store its modules on the hard drive. Instead the modules are re-downloaded
every time the malware is activated on the system. Modules mentioned include the ability to
collect system info, file enumeration, keylogging, and screen capture. It also has the ability to
decrypt and steal passwords and settings from different browsers and email clients. No detailed
information is provided on how this is accomplished.
(S//NF) The Trojan communicates using various hardcoded IP Address/Port combinations
communicating via HTTP or HTTPS on ports 80 and 443 respectively. This communication is
performed using two stages of encryption. The first stage is a key exchange in which the bundled
private key is replace with a new one generated by the C&C server. The second stage then
contains the exchange of data encrypted with AES256.
(S//NF) The Potao malware has the ability to spread via USB. It copies itself to the root directory
of the USB drive changing its filename to match the disk label of the drive using the removable
drive icon. All existing files on the drive are marked as hidden. Therefore the user only sees a
single drive icon to click on when opening up the drive.
(S//NF) Anti-reverse engineering techniques are also employed by this malware. The
MurmurHash2 algorithm is used to compute the hashes for the WinAPI functions instead of
using their names. Furthermore all strings are encrypted using and XOR operation with a 4-byte
length key.
(S//NF) In conclusion, this Trojan does not demonstrate any new or notable techniques. As such
no PoC is recommended.