FakeTC

The FakeTC program is a backdoor Trojan that was identified by computer security companies in July 2015. The FakeTC malware has been active since 2011, but 2015 was successful for researchers with uncovering the 'Command and Control' network and distribution network in full especially. The FakeTC Backdoor Trojan is a member of the W32/Potao family of malware that is associated with 32-bit architectures primarily. The FakeTC malware is developed with cyber espionage in mind. FakeTC has been found on government and military systems in countries like Armenia, Ukraine, Georgia and Belarus. The FakeTC software is developed by the Sandworm APT (Advanced Persistent Threat) group (also seen as Quedagh).

The FakeTC cyber-threat is used in attacks on government agencies and military facilities with varying degrees of success. The first attacks leveraging the FakeTC Trojan were registered when top-level political figures received SMS messages with URLs to corrupted Web pages purporting to be parcel tracking services. The weaponized Web pages delivered the FakeTC Backdoor Trojan as a Microsoft Word file with a double extension. In reality, the users were suggested to run a program and install the Trojan themselves. The attackers used Excel documents and infected USB drives too.

The FakeTC malware includes a function to spread to other computers by planting executable, which are masked as Word and Excel documents onto USB drives connected to an already infected host. The majority of security incidents associated with FakeTC involve a corrupted version of the TrueCrypt encryption software (http://truecrypt.sourceforge.net) that has been depreciated by the time of writing this. A list of the compromised domains used to spread the FakeTC Backdoor Trojan is available below:

camprainbowgold[.]ru
mntexpress[.]com
poolwaterslide2011[.]ru
truecryptrussia[.]ru
worldairpost[.]com
worldairpost[.]net

The FakeTC backdoor Trojan is said to download files from a remote PC and the Internet; run programs; terminate programs; send logs of saved data on the local drives; upload files to a command server; copy login credentials from Web browsers and email clients. The FakeTC software can be used to hijack control of industrial systems, email accounts and install full-featured spyware. You should run security scans regularly and ignore messages from unknown senders. Detection alerts for the FakeTC Backdoor Trojan:

HEUR/AGEN.1008789
TROJ_BUBLIK.YBK
TROJ_GEN.R002C0CB419
Trojan ( 00264a361 )
Trojan ( 004b808a1 )
Trojan-FGXB!9179F4683ECE
Trojan.Generic.5942244
Trojan.Win32.Agent.41472.BP
Trojan.Win32.TrjGen.dbnsu
Trojan/Win32.Gen.C808489
W32/Agent.NVQ!tr
W32/Bublik.CWTL!tr
W32/Risk.NRWT-2425
Win.Dropper.Agent-293025
Win32:Potao-H [Trj]
Worm/Win32.Koobface.R43110