Kaspersky Lab’s security team stumbled across a newly discovered malware called StrongPity that allegedly corrupts legitimate WinRAR and TrueCrypt files.
WinRAR is one of the best services for archiving files on Windows as well as dealing with compression and extraction whereas TrueCrypt is a discontinued on-the-fly encryption tool. StrongPity targets computers by disguising itself as an installer for said software and gaining full control. It may also try to steal files, corrupt them, or even download new modules on the machine.
The malware has been observed in locations around the world including Turkey, North Africa, and the Middle East and, according to Kaspersky Lab, the main locations this infected piece of code resides are in Italy and Belgium. The strategy attackers use to fool users is replacing two transposed letters in their domain names and keeping their URL as close as possible to the authentic installer site. The file link of the installer is then redirected to the legitimate WinRAR distributor site and this is just the WinRAR front.
In the image below, you’ll be able to spot a blue button that we have highlighted which reroutes users to ‘ralrab[.]com’ taking victims to corrupted software sites, and in some cases (one of which was recorded in Italy) where users were not directed to sham websites but to the StrongPity malware itself.
“Kaspersky Lab data reveals that in the course of a single week, malware delivered from the distributor site in Italy appeared on hundreds of systems throughout Europe and Northern Africa/Middle East, with many more infections likely,” the firm said. “Over the entire summer, Italy (87 percent), Belgium (5 percent) and Algeria (4 percent) were most affected. The victim geography from the infected site in Belgium was similar, with users in Belgium accounting for half (54 percent) of more than 60 successful hits.”
Apart from that, the malware was also reportedly directing users to deceitful, corrupt web pages instead of the TrueCrypt software installer. Though many of the tainted WinRAR links have been removed, there still remain some TrueCrypt installers as suggested by Kapersky Labs’s September report. Developments for TrueCrypt was discontinued from May 2014 after Microsoft abandoned Windows XP.
Kurt Baumgartner, the principal security researcher at Kaspersky Lab, compares StrongPity to Crouching Yeti/Energetic Bear attacks that took over and infected authentic software distribution websites. He refers to this trend as “unwelcome and dangerous” and says it must be addressed immediately.
“These tactics are an unwelcome and dangerous trend that the security industry needs to address. The search for privacy and data integrity should not expose an individual to offensive waterhole damage. Waterhole attacks are inherently imprecise, and we hope to spur discussion around the need for easier and improved verification of encryption tool delivery.” said Kurt Baumgartner.
The most we can do is keep our users updated and advise them to be smart and cautious while installing utilities as they might contain deceptive links. Destructive malware like StrongPity can easily turn your PC into a damaged machine.