Conspiracy theories about Vladimir Putin abound, but Avast Threat Labs team finds another small mystery around the Russian president.
Is Vladimir Putin almighty? Some say that he’s behind everything that moves the world. We steer clear of any conspiracy theories, but what we can say for sure is that President Putin recently made it to the world of Torrent.
We dug deeper into a file, properly signed by BitTorrent Inc.
The claim is that it’s an uTorrent binary:
Everything looks okay so far … but then we detect the binary! What’s wrong here? To get an answer, we have to look at the end of the file.
When we take a closer look, a link catches our attention.
Kremlin.ru is the official website of the president of Russia, and the link leads to this picture:
According to the API functions contained in the small injected binary, it seems that the picture is downloaded under putin.exe name and executed. But, there’s another “but.”
Due to the highlighted formal errors in the code of the injected binary, nothing actually happens and the binary is benign. All of this looks like a kind of Easter egg for those who dig deeper into file content. The mystery remains: who embedded young Vladimir into the uTorrent binary?
And now the last question.
How did the author manage to fool the integrity check to pass the digital signature verification? It’s a trick described in detail by our colleague Igor Glücksmann, here: https://recon.cx/2012/schedule/events/246.en.html).
File hash (SHA256): 09F189465AE23D29FC1D4CE5FE982787D0264DF70E74025DF8905F5EEA6B8B7B
That .zip file looks legit, but it's actually a sneaky new way for cyber criminals to steal your info.
Information belonging to over 100 Italian banks breached by the Ursnif banking trojan was obtained by Avast Threat Labs, which then shared the data with as many of the victims as could be identified.