An invisible, threatening player, also known as StrongPity, spent the summer attracting encryption software users to "watering holes" and "infected" installation programs, according to a work presented in the Virus Bulletin by Kaspersky Lab security researcher Kurt Baumgartner. Users in Italy and Belgium were the most affected, but also users in Turkey, North Africa and the Middle East were also affected.
StrongPity is a technically proficient APT-style attack vector interested in encrypted data and communications. Over the past few months, Kaspersky Lab has noticed a significant escalation of its attacks on users searching for two very important encryption tools: the WinRAR archive and the TrueCrypt encryption system.
Το κακόβουλο λογισμικό StrongPity περιλαμβάνει στοιχεία που δίνουν στους επιτιθέμενους τον πλήρη έλεγχο του συστήματος του θύματος. Ουσιαστικά τους δίνει τη δυνατότητα να κλέψουν το περιεχόμενο του disk but also to "download" additional units to gather communications and contacts. Kaspersky Lab has so far detected visits to StrongPity websites and the presence of its tools on more than a thousand target systems.
«Watering holes "and" infected "installation programs
In order to trap their victims, the attackers made false websites. In one case, they carried two letters into one domain name για να ξεγελάσουν τους πελάτες νομίζοντας ότι ήταν ένας επίσημος ιστότοπος εγκατάστασης του λογισμικού WinRAR. Στη συνέχεια, τοποθέτησαν έναν περίοπτο σύνδεσμο σε μία τοποθεσία διανομής WinRAR στο Βέλγιο, προφανώς αντικαθιστώντας τον «προτεινόμενο» σύνδεσμο της ιστοσελίδας με εκείνη του κακόβουλου domain. Καθώς οι επισκέπτες πλοηγούνταν σε αυτή την ιστοσελίδα, αυτό οδηγούσε τους ανυποψίαστους χρήστες στο «μολυσμένο» πρόγραμμα εγκατάστασης του StrongPity. Η πρώτη detection successful redirection by Kaspersky Lab took place on May 28, 2016.
Almost simultaneously, on 24 May, Kaspersky Lab began to detect malicious activity on an Italian WinRAR distribution site. In this case, however, users were not redirected to a fraudulent website, but they accepted the malicious StrongPity installation program directly from the distributor's website.
StrongPity also redirected visitors to popular web pages with free software in TrueCrypt installation programs that were "infected" by Trojan. This activity was still in progress at the end of September.
Malicious links from the WinRAR distribution websites have now been removed, but by the end of September, the malicious TrueCrypt site was still operational.
Geography of the attacks
Kaspersky Lab data reveals that within a week the malware provided by Italy's distributor's website appeared in hundreds of systems across Europe and North Africa / the Middle East, with many more potential "infections". During the summer, Italy (87%), Belgium (5%) and Algeria (4%) were most affected. The geography of the victims from the 'infected' website in Belgium was similar, with users in Belgium accounting for half (54%), with over 60 successful attacks.
Attacks on users through the fraudulent TrueCrypt site reach up to May of 2016, with 95% of the victims being in Turkey.
«The techniques used by this threatening carrier are smart enough. They resemble the approach adopted at the beginning of 2014 by APT Crouching Yeti / Energy Bear, in which lawfully installed software programs for industrial control systems that were 'infected' by Trojan and compromised genuine software distribution websites.. These tactics are an unwanted and dangerous trend that the security industry must address. The quest to protect the privacy and integrity of data they should not expose the person to harmful 'waterholes". "Waterhole" attacks are inherently vague and we hope to stimulate debate about the need for easier and improved verification of the delivery of encryption tools"Said Kurt Baumgartner, Kaspersky Lab's Principal Security Researcher.
Kaspersky Lab identifies all StrongPity components with the names: HEUR :. Trojan.Win32.Strong Pity.gen and Trojan.Win32.StrongPity * and other general scans.
For more information about StrongPity's "watering hole" attacks, you can visit the dedicated website Securelist.com.
For information on mitigating threats with "infectedo »encryption software, you can visit the blog Kaspersky Business.
