StrongPity APT Targets Users of Encryption Software

[Exterminator]

An APT group nicknamed StrongPity has put a lot of effort in a recent campaign that has targeted users of encryption software such as TrueCrypt and WinRAR.

Kaspersky Lab says the group had been active in past years, but it employed mostly zero-days to compromise targets and spy on users and their activities.

The most recent attacks, detected in the summer of 2016, relied on new tactics, which the group had never used before.

Group targeted encryption-savvy users
Kaspersky says the group used watering hole attacks and poisoned installers to reach the computers of users that are generally harder to compromise because they use encryption software. It is exactly this penchant for encryption on the victim's half that the attackers focused.

The group has targeted two encryption software packages in different attacks. The first is WinRAR, a software package known best for its archiving capabilities, but which also comes with a feature that allows users to encrypt data using the AES algorithm and lock it inside a password-protected RAR file.

The second is TrueCrypt, a full-disk encryption utility that locks all files on a hard drive. This software package was very popular two years ago, but most users abandoned when its developers said the software is insecure and urged them to use other utilities instead.

By targeting users of these two software packages, StrongPity is trying to compromise users that it couldn't compromise before, due to the fact they protected their data.

Group tricked legitimate websites to link to their malware
Kaspersky says that StrongPity had registered a lookalike domain ralrab.com, which is very similar to the official rarlab.com website, through which WinRAR devs distribute their software.

Using this fake domain the APT managed to trick the operators of the winrar.be website to link to their malicious version of WinRAR on the ralrab.com website, instead of the official one. Their version of WinRAR came with a backdoor trojan, allowing the StrongPity actors to spy on anyone who installed this tainted package.

They pulled the same trick with the winrar.it website, but instead of linking to the ralrab.com website, the group convinced the winrar.it website to host a malicious version of the file themselves.