The StrongPity APT has resurfaced, with a focus on users of encryption tools.
According to Kaspersky Lab, widely available, strong cryptography software tools help provide secure and private communications that are now easily obtained and usable. In the summer of 2016, multiple encryption-enabled software applications were targeted with watering hole, social engineering tactics and spyware by the StrongPity APT.
The group used a mechanism to deliver trojanized WinRAR installers (WinRAR packs and encrypts files with strong suites like AES-256 in CBC mode with a strong PBKDF2 HMAC-SHA256-based key).
The bad actors set up a domain name mimicking the legitimate WinRAR distribution site, and then placed links on a legitimate “certified distributor” site in Europe to redirect users to their poisoned installers. In Belgium, the attackers placed a “recommended” link to the malicious site in the middle of the localized WinRAR distribution page. A big blue button linked to the malicious installer, while all the other links on the page directed to legitimate software.
StrongPity also directed specific visitors from popular, localized software-sharing sites in France and Belgium directly to trojanized installers for TrueCrypt. TrueCrypt provides an effective open-source full disk encryption solution for Windows, Apple, Linux, and Android systems.
This activity continued into late September 2016, resulting in more than 1,000 systems infected with a StrongPity component. The top five countries affected are Italy, Turkey, Belgium, Algeria and France.
“This activity reminds us somewhat of the early 2014 Crouching Yeti activity,” said Kurt Baumgartner, principal security researcher at Kasperky’s GReAT group. “Much of the Crouching Yeti intrusions were enabled by trojanizing legitimate ICS-related IT software installers like SCADA-environment VPN client installers and industrial camera software driver installers. Then, they would compromise the legitimate company software distribution sites and replace the legitimate installers with the Crouching Yeti trojanized versions. The tactics effectively compromised ICS and SCADA related facilities and networks around the world.”
Simply put, even when visiting a legitimate company distribution site, IT staff was downloading and installing ICS-focused malware. StrongPity’s efforts did much the same.
“The group has quietly deployed zero-day in the past, effectively spearphished targets and maintains a modular toolset,” said Baumgartner. “While watering holes and poisoned installers are tactics that have been effectively used by other APT, we have never seen the same focus on cryptographic-enabled software.”
He added, “We describe the StrongPity APT as not only determined and well-resourced, but fairly reckless and innovative as well.”
When visiting sites and downloading encryption-enabled software, IT staff should verify the validity of the distribution site and the integrity of the downloaded file itself. Download sites not using PGP or strong digital code-signing certificates need to re-examine the necessity of doing so for their own customers as well, Kaspersky recommended.
Photo © Mclek