StrongPity malware corrupts legit WinRaR, TrueCrypt installers

khushaartanveer@gmail.com' By: Khushaar Tanveer
2 minute read
strongpity malware

Kaspersky Lab’s security team  stumbled across a newly discovered malware called StrongPity that allegedly corrupts legitimate WinRAR and TrueCrypt files.

WinRAR is one of the best services for archiving files on Windows as well as dealing with compression and extraction whereas TrueCrypt is a discontinued on-the-fly encryption tool. StrongPity targets computers by disguising itself as an installer for said software and gaining full control. It may also try to steal files, corrupt them, or even download new modules on the machine.

The malware has been observed in locations around the world including Turkey, North Africa, and the Middle East and, according to Kaspersky Lab, the main locations this infected piece of code resides are in Italy and Belgium. The strategy attackers use to fool users is replacing two transposed letters in their domain names and keeping their URL as close as possible to the authentic installer site. The file link of the installer is then redirected to the legitimate WinRAR distributor site and this is just the WinRAR front.

In the image below, you’ll be able to spot a blue button that we have highlighted which reroutes users to ‘ralrab[.]com’ taking victims to corrupted software sites, and in some cases (one of which was recorded in Italy) where users were not directed to sham websites but to the StrongPity malware itself.

winrar.be_sp_introduced-2-strong-pity

“Kaspersky Lab data reveals that in the course of a single week, malware delivered from the distributor site in Italy appeared on hundreds of systems throughout Europe and Northern Africa/Middle East, with many more infections likely,” the firm said. “Over the entire summer, Italy (87 percent), Belgium (5 percent) and Algeria (4 percent) were most affected. The victim geography from the infected site in Belgium was similar, with users in Belgium accounting for half (54 percent) of more than 60 successful hits.”

Apart from that, the malware was also reportedly directing users to deceitful, corrupt web pages instead of the TrueCrypt software installer. Though many of the tainted WinRAR links have been removed, there still remain some TrueCrypt installers as suggested by Kapersky Labs’s September report. Developments for TrueCrypt was discontinued from May 2014 after Microsoft abandoned Windows XP.

Kurt Baumgartner, the principal security researcher at Kaspersky Lab, compares StrongPity to Crouching Yeti/Energetic Bear attacks that took over and infected authentic software distribution websites. He refers to this trend as “unwelcome and dangerous” and says it must be addressed immediately.

“These tactics are an unwelcome and dangerous trend that the security industry needs to address. The search for privacy and data integrity should not expose an individual to offensive waterhole damage. Waterhole attacks are inherently imprecise, and we hope to spur discussion around the need for easier and improved verification of encryption tool delivery.” said Kurt Baumgartner.

The most we can do is keep our users updated and advise them to be smart and cautious while installing utilities as they might contain deceptive links. Destructive malware like StrongPity can easily turn your PC into a damaged machine.

For various PC problems, we recommend this tool.

This software will repair common computer errors, protect you from file loss, malware, hardware failure and optimize your PC for maximum performance. Fix PC issues now in 3 easy steps:

  1. Download this PC Repair Tool rated "Excellent" on TrustPilot.com.
  2. Click “Start Scan” to find Windows issues that could be causing PC problems.
  3. Click “Repair All” to fix all issues with Patended Technologies (requires upgrade).

Next up

Best Windows 10 antivirus software to use in 2018

By: Radu Tyrsina
7 minute read

Update – 2018 will soon come to an end and we already have a guide on what is the best antivirus you should get in […]

Continue Reading

These features are out for good with Windows 10 version 1809

iamsovy@gmail.com' By: Sovan Mandal
2 minute read

Microsoft is all set to launch its next big update, Windows 10 version 1809 in October. While that should be a nice piece of news […]

Continue Reading

Windows 10 18H2 builds no longer receive new features

By: Matthew Adams
3 minute read

The Windows 10 October 2018 Update (otherwise 18H2) rollout might now be two to three weeks away. For the last few months, new build previews […]

Continue Reading

Discussions