Kaspersky announced the discovery of a new "advanced persistent threat" (APT) attack called "StrongPity." The attack involved infecting installers of WinRAR and TrueCrypt on sites that distributed the two apps.
Encryption Tools Users Targeted
Kaspersky’s research team has noticed that over the past few months, there has been an escalation in attacks against users who are looking mainly for two software programs: WinRAR and TrueCrypt.
TrueCrypt, which has been abandoned by its original authors but has been continued through other projects such as VeraCrypt, is a well-known drive encryption software. WinRAR is a popular file archiver utility for Windows, but it’s also often used to encrypt files.
The users were infected through “waterhole attacks,” which are attacks that put malware on certain websites where targeted users are likely to visit. The StrongPity attackers would insert trojans into the installer files of WinRAR and TrueCrypt on various distributor sites, from where users would download them and infect their own systems.
The attackers are able to take complete control of their systems through the infected installers. They can also steal disk contents and download additional malware components that allow them to collect contacts and monitor communications.
Belgium And Italy Most Targeted
Users were most targeted in Belgium and Italy. In Belgium, the attackers built fake websites from which they would make the infected installers available. In Italy, the StrongPity attackers infected the software installers on an existing software distributing website. Kaspersky noticed the fraudulent activity in both Belgium and Italy earlier this year, in May.
Kasperky Lab data revealed that over a single week, hundreds of systems throughout Europe and Northern Africa/Middle East were infected by StrongPity malware.
”The techniques employed by this threat actor are quite clever. They resemble the approach undertaken in early 2014 by the Crouching Yeti/Energetic Bear APT, which involved trojanizing legitimate IT software installers for industrial control systems and compromising genuine distribution sites,” said Kurt Baumgartner, principal security researcher, Kaspersky Lab. “These tactics are an unwelcome and dangerous trend that the security industry needs to address. The search for privacy and data integrity should not expose an individual to offensive waterhole damage. Waterhole attacks are inherently imprecise, and we hope to spur discussion around the need for easier and improved verification of encryption tool delivery," he added.
Code Signing And Verification
The ideal protection against this sort of attack, where you get an infected file that should otherwise be legitimate, is "code signing" and "signature verification." This is especially important for encryption software that’s more likely to be targeted by sophisticated attackers, such as nation- states.
However, checking a file’s signature isn’t an easy enough task for most people, so most people don’t bother or don’t even know how to do it. Easier ways to verify a file’s integrity by comparing it to the original source are needed. Until then, Kaspersky said that strong anti-malware and dynamic whitelisting solutions will be more necessary than ever.