Until discontinued under mysterious circumstances last year, the open-source encryption tool TrueCrypt was pretty much the first choice for computer users looking to keep the contents of their hard drive out of the reach of unauthorised parties.
So I am fascinated to read a new technical report by Robert Lipovsky and Anton Cherepanov, security researchers at ESET, which brings to light that a Russian language version of TrueCrypt contains a secret backdoor trojan.
According to ESET, the Russian TrueCrypt website truecrypt.ru has been serving malware to visitors since at least June 2012, and timestamps attached to the malicious code binaries dates them back to April 2012.
What makes things all the more interesting is that not everyone who downloaded TrueCrypt from the site will have been infected by the malware – as whoever was behind the attack was choosing their victims carefully:
Not every download of the TrueCrypt software from the Russian website is malicious or contains a backdoor. The malicious versions of the software are served only to selected visitors, based on unknown specific criteria. This lends additional evidence to the view that the operation is run by a professional gang that selectively targets their espionage victims.
This, no doubt, helps explain why the malware distribution has gone unnoticed for so long.
ESET’s report claims that in addition to serving a trojanized version of TrueCrypt (now detected as Win32/FakeTC), the domain has also been used as a command-and-control server, sending instructions to computers infected by the backdoor.
Lipovsky and Cherepanov released their findings as part of a larger investigation into Potao, a malware campaign that has been targeting computer users in Ukraine and other post-Soviet territories such as Russia, Georgia and Belarus.
You can read the full technical report here.