Researchers at Kaspersky Lab have discovered a new malware named StrongPity which is being spread via bogus WinRAR and TrueCrypt installers. Infection with StrongPity malware would result in attackers gaining full control of the user’s device. The malware is also an information stealer and can be used by the attackers to steal the entire contents of a hard drive.
StrongPity malware infections have mostly been limited to Belgium and Italy, although there have been reports that users in the Middle East and North Africa have also been attacked with the malware. Outside of Italy and Belgium, most attacks have occurred in Turkey and Algeria. At present, no attacks are believed to have occurred in the United States.
Users looking to install the file compression software WinRAR, or the encryption software TrueCrypt, should exercise caution and only download the installers from official sources. However, care should be taken to ensure that the correct website is visited.
The attacks are being performed using spoofed sites which appear to be official at first glance. However, closer inspection will reveal that the domain name has two letters transposed. Some WinRAR distribution sites were also discovered to contain the malicious installers or links to malicious websites containing infected installers.
While the attacks first started using WinRAR distribution sites, the attackers have now turned their attention to TrueCrypt installers. All distribution sites that link to the malicious WinRAR installers are understood to have replaced the malicious links. However, malicious TrueCrypt installers are still being used to spread StrongPity malware. TrueCrypt has been rendered obsolete as the software is no longer required in Windows Vista and above. Even so, attacks are still occurring.
Kaspersky Lab claims at least 1,000 computers have been infected with StrongPity. According to Kurt Baumgartner, principal security researcher at Kasperky’s GReAT group, “While watering holes and poisoned installers are tactics that have been effectively used by other APT, we have never seen the same focus on cryptographic-enabled software.” He went on to say “We describe the StrongPity APT as not only determined and well-resourced, but fairly reckless and innovative as well.”
As with any software download it is essential to exercise caution and take steps to verify the validity of the download site as well as verify the file itself.