Skip to main content

StrongPity 'Advanced Persistent Threat' Goes After WinRAR, TrueCrypt Users, Says Kaspersky

Kaspersky announced the discovery of a new "advanced persistent threat" (APT) attack called "StrongPity." The attack involved infecting installers of WinRAR and TrueCrypt on sites that distributed the two apps.

Encryption Tools Users Targeted

Kaspersky’s research team has noticed that over the past few months, there has been an escalation in attacks against users who are looking mainly for two software programs: WinRAR and TrueCrypt.

TrueCrypt, which has been abandoned by its original authors but has been continued through other projects such as VeraCrypt, is a well-known drive encryption software. WinRAR is a popular file archiver utility for Windows, but it’s also often used to encrypt files.

Waterhole Attacks

The users were infected through “waterhole attacks,” which are attacks that put malware on certain websites where targeted users are likely to visit. The StrongPity attackers would insert trojans into the installer files of WinRAR and TrueCrypt on various distributor sites, from where users would download them and infect their own systems.

The attackers are able to take complete control of their systems through the infected installers. They can also steal disk contents and download additional malware components that allow them to collect contacts and monitor communications.

Belgium And Italy Most Targeted

Users were most targeted in Belgium and Italy. In Belgium, the attackers built fake websites from which they would make the infected installers available. In Italy, the StrongPity attackers infected the software installers on an existing software distributing website. Kaspersky noticed the fraudulent activity in both Belgium and Italy earlier this year, in May.

Kasperky Lab data revealed that over a single week, hundreds of systems throughout Europe and Northern Africa/Middle East were infected by StrongPity malware.

”The techniques employed by this threat actor are quite clever. They resemble the approach undertaken in early 2014 by the Crouching Yeti/Energetic Bear APT, which involved trojanizing legitimate IT software installers for industrial control systems and compromising genuine distribution sites,” said Kurt Baumgartner, principal security researcher, Kaspersky Lab. “These tactics are an unwelcome and dangerous trend that the security industry needs to address. The search for privacy and data integrity should not expose an individual to offensive waterhole damage. Waterhole attacks are inherently imprecise, and we hope to spur discussion around the need for easier and improved verification of encryption tool delivery," he added.

Code Signing And Verification

The ideal protection against this sort of attack, where you get an infected file that should otherwise be legitimate, is "code signing" and "signature verification." This is especially important for encryption software that’s more likely to be targeted by sophisticated attackers, such as nation- states.

However, checking a file’s signature isn’t an easy enough task for most people, so most people don’t bother or don’t even know how to do it. Easier ways to verify a file’s integrity by comparing it to the original source are needed. Until then, Kaspersky said that strong anti-malware and dynamic whitelisting solutions will be more necessary than ever.

  • TheDane
    Link "Veracrypt" is the same as "Truecrypt". And you forgot a link to the complete version https://truecrypt.ch/ - still maintained btw but not by the creator who seem to have chickened out (NSA pressure perhaps?). Is an excellent encryption tool (if not the best) btw.
    Reply
  • Willz13
    Funny enough I got kasperskys total security and my pc started going very slow over the last 3/4 months leave me with no other choice but to go with an other anti-virus witch seem to work properly and sort out the problem kasperskys wasn't able to do leaving me with a waste of money as I still had 90 days left on kasperskys but lesson learnt and I for one will not use them again... bullguard all the way for me
    Reply
  • WFang
    18712481 said:
    Funny enough I got kasperskys total security and my pc started going very slow over the last 3/4 months leave me with no other choice but to go with an other anti-virus witch seem to work properly and sort out the problem kasperskys wasn't able to do leaving me with a waste of money as I still had 90 days left on kasperskys but lesson learnt and I for one will not use them again... bullguard all the way for me

    Regarding Kaspersky products: "The company is headquartered in Moscow, Russia"
    Perhaps it has been going very slow from time to time because your computer was zombied off to do something or another that it was not supposed to? I've gotten increasingly paranoid of late of any and all AV products... If a nation state wanted to do unspeakable things, it seems like infiltrating major (or open source) AV platforms would be a great way to put some more tools and resource into your toolbag.

    Naaaah, that's just cray-cray right there.. that could not possibly happen! ...right?
    Reply
  • Christopher1
    Who in their right mind would still be using TrueCrypt when BestCrypt and VeraCrypt have fixed the most blatant bugs in TrueCrypt after it was pulled from support by the creator of the software? No one I can think of.
    If you are still using TrueCrypt and are doing something even 'naughty' but not illegal? Switch to one of those two supported programs. They are both open-source.
    Reply