New Trojan Malware “Acronym” Utilized in Operation Potao Express Campaign

Malware researchers from a security firm have identified a new piece of malware known as Acronym used in malicious campaign reported as “Operation Potao Express”. The malware has been found by the security experts just after a research report posted by the VirusTotal on Twitter. This analysis was published by an Italy-based researcher who uses the online moniker named as Antelox. After the depth-analysis on this Trojan and its associated malware dropper revealed that it belongs to the family of Potao malware and used to spread the virus widely over the Internet. Besides, the Potao malware has also been notified as a “universal modular cyber espionage toolkit”.

The “Acronym” malware was first analyzed by a security firm in 2015, but the threat has been around since year 2011. According to the research report published by security analysts, most probably the Russian hackers are responsible for generating this Trojan malware. The threat had been used by the con artists in cyber attacks aimed at entities in Belarus, Ukraine, Georgia and Russia. Although, the researchers described this cyber attack aimed to aforementioned countries as a “high-value targets”. Security investigators believes that the new malware which may be linked to Potao has been reported as “Acronym”. This newly identified malware is based on debugging string and pointing web addresses to C&C (Command and Control) servers.


As a matter of fact, the Acronym malware and its associated Trojan dropper appear to have been produced in the mid of February. Moreover, the Trojan dropper is especially designed by the criminal hackers in order to kill the crucial Windows system processes, such as “wmpnetwk.exe” and replace the legit system file with its own malicious one. Once it gets executed onto the infected machine, the Acronym malware uses Registry Editor or the Windows Task Manager in order to ensure its persistent. Then after, it connects the affected system with a Command & Control server and delivers few sensitive information about the infected computer to the remote hackers. Just like Potao malware, the Acronym virus is a modular malware which allows the cyber offenders to gather download histories, screenshots and execute few other harmful files and run intrusive plug-ins.

During the analysis on Acronym malware, the C&C servers were offline, so that the investigators have not been able to identify the malicious plug-ins associated with it. Nonetheless, similarities between the plug-in functionalities have led the researchers to believe that Acronym virus may be connected to Potao malware. On the other hand, the Acronym’s dropper doesn’t use any kind of legit-looking documents, processes or DLL files for the malware injections. However, for file encryption, HTTP communications and capturing screenshots, the malicious code of Acronym appear to have copied from the publicly available examples. As the security analysts said, this new malware does have a potential link to a malicious and long running malware campaign identified as Operation Potao Express.

Leave a Comment

Your email address will not be published. Required fields are marked *