An invisible, threatening player, also known as StrongPity, spent the summer attracting encryption software users to "watering holes" and "infected" installation programs, according to a work presented in the Virus Bulletin by Kaspersky Lab security researcher Kurt Baumgartner. Users in Italy and Belgium were the most affected, but also users in Turkey, North Africa and the Middle East were also affected.
StrongPity is a technically capable APT attacker, interested in encrypted data and communications. Over the past few months, Kaspersky Lab has noticed a significant escalation of its attacks on users looking for two very important encryption tools: the WinRAR file and the TrueCrypt encryption system.
StrongPity malware includes data which give attackers full control of the victim's system. Essentially it allows them to steal the contents of the disk and also "download" additional units to collect communications and contacts. Kaspersky Lab has so far detected visits to StrongPity websites and the presence of its tools on more than a thousand target systems.
«Watering holes "and" infected "installation programs
In order to trap their victims, the attackers made false websites. In one case, they carried two letters into one domain name to trick customers into thinking it was an official one website installation of WinRAR software. They then placed a prominent link to a WinRAR distribution site in Belgium, apparently replacing the website's "recommended" link with that of the malicious domain. As visitors navigated to this webpage, it led unsuspecting users to the "infected" StrongPity installer. The first detection of a successful redirect by Kaspersky Lab was on May 28, 2016.
Almost simultaneously, on 24 May, Kaspersky Lab began to detect malicious activity on an Italian WinRAR distribution site. In this case, however, users were not redirected to a fraudulent website, but they accepted the malicious StrongPity installation program directly from the distributor's website.
StrongPity also redirected visitors to popular websites with free software in the Trojan-infected TrueCrypt installers. This activity was still ongoing at the end of September.
Malicious links from the WinRAR distribution websites have now been removed, but by the end of September, the malicious TrueCrypt site was still operational.
Geography of the attacks
Kaspersky Lab data reveals that within a weekteam the malware provided by the distributor's website in Italy appeared on hundreds of systems across Europe and North Africa/Middle East, with many more possible "infections". During the summer, Italy (87%), Belgium (5%) and Algeria (4%) were most affected. The geography of victims from the "infected" site in Belgium was similar, with users in Belgium accounting for half (54%), with over 60 successful attacks.
Attacks on users through the fraudulent TrueCrypt site reach up to May of 2016, with 95% of the victims being in Turkey.
«The techniques used by this threatening carrier are smart enough. They resemble the approach adopted at the beginning of 2014 by APT Crouching Yeti / Energy Bear, in which lawfully installed software programs for industrial control systems that were 'infected' by Trojan and compromised genuine software distribution websites. These tactics are an undesirable and dangerous trend the security industry has to deal with. The search for privacy and integrity of data should not expose the individual to harmful "waterholes". "Waterhole" attacks are inherently vague and we hope to stimulate debate about the need for easier and improved verification of the delivery of encryption tools"Said Kurt Baumgartner, Kaspersky Lab's Principal Security Researcher.
Kaspersky Lab detects all components of StrongPity with the names: HEUR:. Trojan.Win32.Strong Pity.gen and Trojan.Win32.StrongPity * and as other general detections.
For more information about StrongPity's "watering hole" attacks, you can visit the dedicated website Securelist.com.
For information on mitigating threats with "infectedo »encryption software, you can visit the blog Kaspersky Business.