Specialists of the ESET antivirus company found that Win32 / Potao spyware can pretend to be a TrueCrypt application. Potao is loaded into the system using the TrueCrypt.exe executable file, and a compromised version of data encryption software was used as the bootloader. TrueCrypt modification was distributed through the truecryptrussia.ru website, the same domain name was used as one of the addresses of the management server.
This may indicate that the site was originally created to implement malicious operations, experts emphasize.
The first malicious TrueCrypt modifications containing a backdoor were dated April 2012. They were delivered on a selective basis to some users, indicating a targeted attack. It is noted that in some cases Potao was loaded onto the PC by another program that is detected by ESET NOD32 antivirus products as Win32 / FakeTC.