Hackers infecting legit WinRAR, TrueCrypt installers with ‘StrongPity’ malware

Kevin Parrish
Digital Trends
Webcam ‘sextortion’ cases are on the rise, says U.K.’s National Crime Agency
Falling under the general criminal category of sextortion, webcam blackmail cases are growing. The U.K.'s National Crime Agency (NCA) released a report indicating that cases in that country have more than doubled in 2016.

Security firm Kaspersky Lab revealed on Monday a new malware called StrongPity. It targets web surfers who are looking for two specific tools: WinRAR and TrueCrypt. The former is a popular file compression program, and the latter was once an open-source, on-the-fly encryption tool. StrongPity poses as installers for these two tools, and will provide attackers complete control of the victim’s system once installed.

According to Kaspersky Lab, the StrongPity attack resides mainly in Italy and Belgium, but the malware has also hit people located in Turkey, North Africa, and the Middle East. On the WinRAR front, the malware is served up on fake websites that use two transposed letters in their domain names to resemble an authentic installer site. The file’s link on the fake domain is then provided to a legitimate WinRAR distributor site.

Related: Malware allows attackers to silently steal webcam video from your Mac, expert says

“Kaspersky Lab data reveals that in the course of a single week, malware delivered from the distributor site in Italy appeared on hundreds of systems throughout Europe and Northern Africa/Middle East, with many more infections likely,” the firm said. “Over the entire summer, Italy (87 percent), Belgium (5 percent) and Algeria (4 percent) were most affected. The victim geography from the infected site in Belgium was similar, with users in Belgium accounting for half (54 percent) of more than 60 successful hits.”

Kaspersky Lab first saw this method taking place in Belgium on May 28. Prior to that, the security firm witnessed an Italian WinRAR distribution site directly handing out the fake WinRAR installer instead of linking to an impostor site. The good news here is that all affected WinRAR distribution sites have removed the infected file and/or fraudulent mirror links. The bad news is that the StrongPity attack is still ongoing.

What’s surprising it that StrongPity is presently attacking its victims through TrueCrypt installers. Development of this tool ended in May 2014 once Microsoft pulled the plug on Windows XP’s life support. TrueCrypt was no longer needed because Microsoft baked support for encrypted disks and virtual disk images into Windows Vista and newer versions. Thus, the only service the TrueCrypt developer provides now concerns the steps involved in migrating from the TrueCrypt format to BitLocker.

The firm said on Monday that the infected TrueCrypt installer was still active at the end of September. Apparently there is only one fraudulent TrueCrypt website handing out the infected installer, which experienced increased activity in May, claiming 95 percent of its victims in Turkey.

Kurt Baumgartner, principal security researcher at Kaspersky Lab, made the initial announcement regarding StrongPity’s discovery in a paper presented during the Virus Bulletin 2016 conference. He said that StrongPity is similar to Crouching Yeti/Energetic Bear that trojanized legitimate IT software installers and compromised “genuine distribution sites.” This type of attack is an “unwelcome and dangerous” trend that needs to be addressed by the security industry, he added.

In addition to completely taking over a victim’s computer, hackers behind the StrongPity attack can also steal the contents of a hard drive, and download additional modules that will scoop up the infected PC’s communications and contacts. Naturally, Kaspersky Lab software will detect and remove the StrongPity malware.