ABSTRACT
The attacks conducted using the Win32/Potao malware family span the past five years, the first detections dating back to 2011. The attackers are, however, still very active, with the most recent infiltration attempts detected by ESET in July 2015. One of the most interesting discoveries during Potao investigation and research was the connection to a Russian version of the now discontinued popular open-source encryption software, TrueCrypt. The Potao family is a typical cyberespionage Trojan, and as such it implements all the necessary functionality to exfiltrate sensitive information from the infected user's system and sends it to the attackers' remote server. Similar to most other Trojan families, Win32/Potao arrives at the victim's computer system in the form of a Trojan dropper that acts as an "installer" for the malware.
