Experts discovered the Acronym Malware Descendant From Potao

7 years ago Security News 1895

Security researchers uncovered a new virus threat known as the Acronym malware which can be linked to the Potao malware identified back in 2011.

Acronym Malware Linked To The Old Potao Threat

Computer security researchers discovered a new virus which appears to be linked to an old Trojan known as Potao. The new threat is known as the Acronym malware and it has been linked to an old campaign dubbed Operation Potao Express. The old campaign was known as a “universal cyber espionage toolkit” and has been a part of the hackers arsenal since its inception in 2011.

The Old Potao Express: The Legacy Behind Acronym Malware

This is an old family of viruses which was first discovered back in 2011. One of the reasons why detailed research was done a few years later was because of the relatively low number of detected infections. Most of the attacks were made in 2015 and targeted mainly Ukraine, as well as Russia, Georgia and Belarus. The first instance was done using a mass-spreading campaign that contained the encrypted string GlobalPotao which gave the name of the malware family. The victims got infected via infected binary files that posed as Microsoft Word documents. Emails, download sites and P2P networks were one of the primary sources of the binaries. Other malware strategies include decoy documents, counterfeit invitations and web scripts.

One of the most famous characteristics of the Potao malware is the fact that it used to target Ukrainian government and military institutions and facilities. Its interesting to note that the virus engine can propagate across the internal network with a worm-like functionality, as well as via USB removable devices. The architecture of the virus is crafted around a main module which spies on the targets via the use of downloadable modules. The relevant modules are downloaded to the infected system when in the first stages of infection. Potao supports two types of plugins:

  1. Full Plugin – They run continuously until the infected system is restarted.

  2. Light Plugin – They terminate after their processes are complete.

The malware initiates a complex encrypted C&C communication after which the infection proceeds. Some of Potao’s capabilities include the following:

  • Sleep – Sleeps the virus infection for a set period.

  • System Information Harvesting – The virus engine collects system information and variables such as the computer name, logged user and the Windows version.

  • Enumerate – Enumerates all files on the locally mounted partitions (except the Windows folder and all EXE and DLL files).

  • Information Harvesting – The virus is able to extract stored accounts and steal files and folders.

  • Additional Payload Introduction – The virus is able to download malicious files from remote hosts. This can include executable files what can be executed, as well as DLL files that can be loaded to running processes.

Acronym Malware May Be Based on Potao

The discovered virus samples were discovered recently and once compiled they allowed the researchers to take a closer look into the virus’s capabilities and infection sources. First of all it appears that they have been distributed since February 2017, based on the compilation date for both the dropper and the main executable. The following behavior has been identified with these infections:

  1. The Acronym malware like its predecessors consists of a payload dropper (trigger) and a main executable file. Once the dropper has been deployed to the target system in kills any processes named “wmpnetwk.exe”” using the following command:
    taskkill /f /im wmpnetwk.exe

  2. A temporary file is created which starts with the “HH” string and uses the TMP file extension. This step downloads the malicious executable to the following location:

    C:\Documents and Settings\Admin\Application Data\Windows Media Player\wmpnetwk.exe

  3. The Acronym malware creates a persistent environment for itself. Depending on the Windows version this is done either by crafting Registry Run commands or adding a new entry into the Task Scheduler.

  4. To prevent multiple copies of itself from running, the virus engine creates and monitors a predefined mutex – sjd8anSice8h_sdnm9232.

  5. The next step involves network communication with the remote C&C servers. The engine iterates through several (six in the latest samples) possible IP address and port pairs.

  6. Based on the response of the servers there are several built-in commands that appear to correlate with those of Potao:
    Screenshot Capture.
    Download and Execution Of A Remote Payload.
    Plugin Execution.

  7. This plugin architecture is very similar to the one used by Potao. It loads a DLL received from the C&C servers and looks for code located in the “Scan” or “Plug” export function. If any code is found within “Scan” it is executed and the all results are sent to the C&C servers in a report. The “Plug” export creates a new process thread and executes the passed function using the following string as an argument:
    uid=%s&group=%s&ver=%s
    The relevant variables are filled with the information harvested from the machines.

There is distinct code overlap with the older threat as well as similarities in the used ports for network communication (over 8080. 443 and 80), shared C&C network and the fact that the temporary files start with the “HH” string. There are also a lot of features missing from Acronym that are present in Potao. The list includes:

  • The dropper module does not use decoy documents as infection sources.

  • The dropper module does not store the compressed executable.

  • The virus engine cannot inject code into running processes.

  • Acronym drops only EXE files.

  • The virus engine does not feature string and AES encryption.

  • No RSA keys or XML exchange is performed.

  • No Windows API hashing function.

  • Different system information query string use.

According to the security researchers at least three major components appear to be copied from example code found on the Internet:

  • HTTP Communications Module

  • DES Encryption and Key Module.

  • Screenshot Capture Capability.

Acronym Malware Removal Tool

SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter

Was this content helpful?

Author : Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *