In the summer of 2016, a cyberespionage actor we call StrongPity infected some open source encryption installers. In addition to distributing infected installers, they also used watering holes targeting arbitrary users, mostly in Italy and Belgium. This tactic is similar to the one used by Dark Hotel to spread across Asia. Now it\u2019s Europe\u2019s turn.<\/p>\n
Our analysis indicates that the StrongPity actor is not only\u00a0determined, but well-resourced and fairly innovative\u00a0as well. Over the summer, they compromised both WinRAR (for its file encryption capabilities) distributor sites, and created a fake mirror image of the sourceforge TrueCrypt site (for open source full disk encryption).<\/p>\n
Mitigate #threats from infected #encryption software.<\/p>Tweet<\/a><\/blockquote>\n
It\u2019s not the first time official distributives of specialized software have been spoofed. In early 2014 Crouching Yeti trojanized legitimate\u00a0ICS-related software\u00a0installers such as industrial camera drivers; the malware was spread by compromising legitimate device driver sites and replacing official installers with the trojanized ones.<\/p>\n
This summer, StrongPity adopted the same tactic. First, they set up a domain name (ralrab[.]com)\u00a0mimicking\u00a0the legitimate WinRAR distribution site (rarlab[.]com). Then they placed links on legitimate European distribution sites to redirect users to malware-infected installers on a new domain:<\/p>\n
<\/p>
Winrar[.]be site with \u201crecommended link\u201d leading to malicious ralrab[.]com.<\/p><\/div>StrongPity also\u00a0redirected users of popular software sharing sites to its trojanized installers. The group redirected visitors from the tamindir[.]com site to their attacker-controlled site at true-crypt[.]com \u2013 a complete replica of the legitimate TrueCrypt site.\n
Tamindir TrueCrypt page with malicious redirection.<\/p><\/div>\n
\u00a0<\/p>\n
StrongPity\u2019s malware droppers are often signed with unusual digital certificates. These modules drop multiple components that give the cyber-criminals complete control of the victim\u2019s system and (the reason for choosing encryption software) effectively steal disk contents. \u00a0To date, over 1000 systems have been detected with a StrongPity component or attempting to download a poisoned\/trojanized installer.<\/p>\n
A new\u00a0#malware gives criminals\u00a0access to #encryption software and the data it is supposed to protect.<\/p>Tweet<\/a><\/blockquote>\n
![](\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/103\/2016\/10\/06020524\/winrar.be_SP_introduced-2-1024x700.jpg\")
![](\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/103\/2016\/10\/06020523\/tamindir.truecrypt_redirect.png\")