Kaspersky Lab revealed an advanced persistent threat (APT) group that is so focused on encrypted data and communications that it has been targeting and tainting crypto downloads. By infecting users before encryption occurred, the attackers could spy on encrypted data.
Although StrongPity, which has managed to evade detection for several years, is technically advanced and stealthy, Kaspersky Lab security researcher Kurt Baumgartner, aka GReAT, also called the group “fairly reckless and innovative.”
Like other APT groups, StrongPity has used zero-days, social engineering, spearphishing tactics and modular attack tools, but this summer it honed in on the encryption tools TrueCypt and WinRAR.
Kaspersky Lab noted, “While watering holes and poisoned installers are tactics that have been effectively used by other APT, we have never seen the same focus on cryptographic-enabled software.”
For its WinRAR watering hole attacks, StrongPity set up the domain name ralrab[.]com, which is close to the legitimate WinRAR site rarlab.com. It then replaced the download links on popular and legitimate sites with links that redirected users to poisoned WinRAR installers on the group’s closely named domain.
Although the tactics to infect users with trojanized WinRAR versions varied slightly in different countries, those tactics followed the same pattern. Baumgartner explained this one example, “The big blue recommended button (here in French) linked to the malicious installer, while all the other links on the page directed to legitimate software.”
The group pulled similar tricks to infect users looking to download TrueCrypt, redirecting visitors from a software aggregation site to the attacker-controlled “ripped and persuasive” site. Kaspersky Lab pointed out, “The StrongPity-controlled Truecrypt site is a complete rip of the legitimate site, now hosted by Sourceforge.”
Kaspersky Lab detected six malware droppers used in WinRAR watering hole attacks. The dropper malware was signed with “unusual digital certificates,” but the attack group did not re-use its fake digital certificates. The real WinRAR software would be installed as well as malware giving StrongPity backdoor and spying capabilities.
StrongPity APT malware contained keyloggers and data stealers such as for scooping up contacts and communications. Yet as further proof of “the group’s interest in users of more encryption-supported software suites,” its malware package was configured to hunt for the following crypto-related software:
- putty.exe (a windows SSH client)
- filezilla.exe (supports FTP uploads)
- winscp.exe (a Windows secure copy application, providing encrypted and secure file transfer)
- mstsc.exe (Windows Remote Desktop client, providing an encrypted connection to remote systems)
- mRemoteNG.exe (a remote connections manager supporting SSH, RDP, and other encrypted protocols)
Over 1,000 systems infected with StrongPity APT malware worldwide
During a little more than one week in the summer, “malware delivered from winrar.it appeared on over 600 systems throughout Europe, Northern Africa and the Middle East.” Top countries smacked with StrongPity malware were Italy, Belgium and Algeria.
The TrueCrypt watering hole attacks started in late 2015, but StrongPity ramped up its activity in summer to late September 2016. The majority of victims were in Turkey, although some systems in the Netherlands were infected as well.
In total, between the tainted WinRAR and TrueCrypt downloads, there were over 1,000 systems infected with StrongPity malware during the summer of 2016.
The problem is not crypto software; in fact, when TrueCrypt and WinRAR are used together, a “poor man’s end-to-end encryption can be maintained for free.” The problem is how the crypto software is being distributed, since all the crypto in the world won’t help if the bad guys can get in to snoop before the encryption occurs.
When visiting sites and downloading encryption-enabled software, it has become necessary to verify the validity of the distribution site and the integrity of the downloaded file itself. Download sites not using PGP or strong digital code signing certificates need to re-examine the necessity of doing so for their own customers. We have seen other APT such as Crouching Yeti and Darkhotel distribute poisoned installers and poisoned executable code, then redistribute them through similar tactics and over P2P networks. Hopefully, simpler verification systems than the current batch of PGP and SSL applications will arise to be adopted in larger numbers. Until then, strong anti-malware and dynamic whitelisting solutions will be more necessary than ever.