The widely respect security firm by the name of Kaspersky Lab recently came out with a new advanced persistent threat group.
Kaspersky Lab is calling the group as StrongPity.
This APT group is so laser-focused on encrypted communications and data that it has even managed to target and then contaminate crypto downloads.
How does this APT work?
Well, this APT makes use of a technique called watering hole cyber attack.
Using this technique, the APT group smears crypto downloads with all types of malware code.
This enables hackers to take advantage of any and all backdoor capabilities and then infect users well before any encryption takes place.
Additionally, using this technique, hackers can also encrypt data and other communications.
The Strongpity APT group is not just your average hacking group.
According to most security groups, StrongPity APT is a technically capable and sophisticated hacking group.
Moreover, it knows how to operate under the radar.
And it has done that for the past several years.
The group works in silence.
And makes use of stealth to deploy multiple zero-day malware into systems.
It has also meticulously spear phished many more cyber targets.
Along with that, StrongPity APT also maintains an unconventional modular toolset.
Furthermore, what is also fascinating is that this group, as far as its recent activities go, has tried to focus its efforts on Belgian and Italian online users.
This is where it uses its encryptions tools.
StrongPity APT watering holes attack are different from other attacks because they affect the system in many more locations than normal attacks which usually hit two focus points.
The APT And Its Existence
As mentioned before, the StrongPity APT has carried out is activities quite regularly in the last couple of years.
But strangely enough, has avoided any notice from law enforcement agencies.
This obviously points towards the fact that the people behind this attack and group are highly technically capable.
And they form an adversary that has a lot of resources to carry out their attacks.
As indicated earlier, they have used zero-day attacks in the past along with modular malware.
Many APT groups do the same but none as clinically as this hacking group.
From the year 2015 to 2016 (throughout 2016 to be precise) security experts saw some substantial modifications to the way this group attacked its targets.
Experts say how this group had changed its focus and some of its tactics.
One of the changes in their tactics came in the form of including a new type of attack called watering hole attack.
They also added the mass phishing email attack that is launched in the form of online campaigns.
And this enabled these hackers to target security cryptography players such as WinRAR and TrueCrypt packages.
What did these hackers do exactly?
Well, they poisoned and corrupted WinRAR and TrueCrypt installers.
This allows these hackers to gain access to plain text data files.
And this access came to the hackers before any sort of encryption could take place.
Hackers also made sure that they received their access to the new data after decryption.
But before encryption.
Great timing, we say.
After gaining access to plain text data files, hackers set up malicious mimics of popular and known RAR labs website.
They also targeted SourceForge official website for the TrueCrypt download.
Near the ending point, hackers used these corrupted links to bend these sites and force them to engage in phishing emails.
Then the hackers modified legitimate file sharing platforms and websites such as tamindir dot com.
And then they redirected it to the newly formed malicious variant of the official website that mimicked the original official website.
More On Encryption Tools
From all the previous discussion, one thing is clear:
These hackers are overly interested in encrypted communications and data files.
And this is evident from the tools they use.
Hackers use such tools usually to carry out practices which enable them to secure the integrity and confidentiality of data.
Just to take an example, let’s talk about WinRAR.
What does WinRAR do?
Essentially, it compresses files.
And then it encrypts those files along with any folders.
It does that with strong encryption technologies such as AES-256 bit.
TrueCrypt works similarly.
It encrypts entire hard drives and it does that with just one action.
Both these tools TrueCrypt and WinRAR offer consistent and robust encryption technologies.
In other words, WinRAR allows a user to encrypt his/her files and holders with an AES-256 bit in CBC mode.
Then it augments then with a strong PBKDF2 HMAC-SHA 256 bit based key.
Whereas, TrueCrypt, offers an effective and open-source solution to full disk encryption.
TrueCrypt supports Windows, Android, Linux, and Apple system.
Users are free to use both these tools or just one of them.
Perhaps using them in some sort of a combination is the best idea.
Using these tools, users can ensure their end-to-end encryption needs are met sufficiently.
Moreover, the basic versions of these tools come for free.
Hence if users can set up these two tools in the right manner, then they can secure their file sharing services for free.
How Does StrongPity Deceive Its Targets?
StrongPity APT is all about routine.
It uses a strong routine to set up some really ingenious portals.
Then it uses those portals to deliver WinRAR installers which are trojanized.
It did so quite successfully in the summer of the year 2016.
Long story short, the tactics worked.
Users visited the legitimate and official software distribution site and proceeded to download files.
But they didn’t know that they had automatically become a victim.
And then they downloaded and installed the infected tools.
Of course, hackers had planned for all of this.
And afterward, they replaced the actual tools with their malware infected ones.
This is quite a clever modus operandi.
But it is not unique.
One earlier hacking group has done the same in the past as well.
Those activities are known as Couching Yeti activities.
This is where hackers carry out intrusions which are specifically powered via trojanized but legitimate ICS related IT software application installers.
Installers such as,
- SCADA environment
- VPN client installers
- Of course, industrial camera software and their driver installers.
As indicated before, hackers also compromise the legitimate and reputed company software distribution websites.
And then they replace the legitimate installers on these sites with the Crouching Yeti versions.
In other words, the trojanized versions.
As you can probably imagine, these maneuvers are effective.
And they successfully compromised SCADA and ICS related facilities.
They also affect networks all over the globe.
StrongPity APT does something very similar.
It first sets up a domain name.
A domain name like ralrab dot com.
This domain name mimics the legitimate and original WinRAR distribute website which is rarlab dot com.
Then hackers move forward and place links on the original and legitimate certified distributor website.
These websites are usually based in Europe.
Hackers then use these techniques to redirect visitors to the pointed installers that are hosted on the domain name ralrab dot com.
All of this stuff happens when the user is in the middle of the localized distribution page on WinRAR.
The actual website is WinRAR dot be.
Hackers also make use of some highlighted links.
These are referred to as the real malicious installers.
Readers should also note that all other links on the given page direct to the original and legitimate software website.
Here is a short description of how the site WinRAR dot be works.
Basically, it evaluates the what RECOMMENDED packages an online visitor may like or need based on the user’s processor capability and browser localization.
Then this malicious site offers up appropriate and related trojanized versions of those legitimate software installers.
It does that for each individual user who visits the site.
Hackers also name their malicious installer resources with Dutch and French names and versions.
They also provide the 64-bit and 320bit versions for their completed executables.
This is exactly what these hackers did back in the summer of 2016 as well.
StrongPity And Its Maliciousness
StrongPity APT directed particular visitors from localized and popular software application sharing websites directly to the hacker’s trojanized installers.
This is much like what we witnessed in the poisoned WinRAR installers case.
Hackers use multiple file names just to make sure that visitors keep coming back to the website and remain interested in what the website has to offer.
There is no way to find out exactly how many visitors hackers redirected to their poisoned website.
Because hackers could have used other methods as well.
Of course, users are free to go to the malicious software application website and download files directly from there.
If the site is properly ripped and persuasive enough, then hackers can get close to users from the malicious site as well.
StrongPity APT attack also showed a couple of software links at the bottom of the page.
All of these links connected the pages for the poisoned installers with the legitimate software distribution site.
StrongPity Malware Is Not A Weak Malware
Hackers often signed off StrongPity droppers with unusual and weird looking digital certificates.
Hackers dropped several components that provided hackers with a complete control of the user’s computer system.
Moreover, these droppers also allowed the hackers to effectively steal the victim’s disk contents.
After this, if they wanted to then hackers could download more components for further collection of different types of communications and other contacts.
The latest campaign from this group has targeted users from Belgium and Italy.
And in most cases, they have managed to hack into their systems and make them victims instead of just users.
Interestingly enough, the users are pretty evenly spread across Northern Africa and Europe.
This hacking group focused particularly on the Mediterranean Rim as well.
In other words, hackers targeted users from places such as,
StrongPity APT is different from other malware in one other critical sense:
This malware contains keyloggers as well as data stealers.
These tools allow the hackers to scoop up communications along with user contacts.
Do we need any more proof that this hacking group is very adept at encryption technologies?
Simply put, this group targeted users who used a lot of encryption supported software application suites.
The hackers in this group packaged and configured their malware in such a way that it hunted for the most known crypto-related software.
Type of applications that StrongPity attack group likes to go after,
- mRemoteNG.exe: this is a remote connections manager. It supports RDP, SSH and other types of encryption protocols
- Mstsc.exe: This is just a Windows Remote Desktop client. It provides that much-wanted encrypted connection to the related remote systems.
- Winscp.exe: this is another Windows operating system secure copy software application. It provides secure and encrypted file transfers.
- Filezilla.exe: It is used for FTP uploads.
- Putty.exe: this one is just an SSH client for the Windows operating system.
As mentioned before StrongPity APT components to include data stealers and many types of keyloggers.
IBM Force TTPs (Techniques, Procedures along with Identified Tactics)
- Modular malware
- Watering hole cyber attacks
- Spear phishing cyber attacks
- Zero-day vulnerability attacks
- Infected WinRAR and TrueCrypt installers
- Malware droppers: hackers usually sign this off with unknown and undisclosed certificates.
- Information theft
- Credential theft which includes targeting services such as Windows Remote Desktop, WinSCP, putty, and Filezilla.
StrongPity APT Conclusion
We live in the internet age.
This is a time period where there are tons of strong cryptography software application tools available to all users.
And they are available for free or for a nominal charge.
They help users to secure their files and folders.
These tools also help users to achieve perfect privacy for their communications.
Users can obtain and use all of these tools rather easily and quickly.
This new hacking group aims to undo all of that progress.
And it has tried to do that with techniques such as poisoned installers and water holes attacks.
Other hacking APTs have also used these techniques with much success.
But no one has ever witnessed this technique used for cryptographic-enabled software applications.
What Should The Users Do Now?
Users should know that they can’t trust anything now.
In other words, when they visit a software distribution website and download an installer from the site, they must ensure and verify the validity of that particular software distribution website.
They must also ensure that the integrity of the downloaded file is intact and proper.
What Should Software Distribution Sites Do?
They should make use of strong digital code signing certificates.
They should also use PGP for their sites.
If they are not using these security measures then they need to re-examine the need for doing so.
Otherwise, they risk losing a huge customer base.
As mentioned before other APTs such as Darkhotel and Crouching Yeti also distribute poisoned executable code along with poisoned installers.
Then they redistribute these malware infected installers via popular methods such as P2P networking.
A simple verification system can help too.
Websites of all types must make sure that they adopt SSL and PGP standards as soon as possible.
Users to want to download WinRAR and TrueCrypt software applications, or any other type of application must do so with caution.
They must show care in ensuring that the sites are untainted and legitimate.
The malicious mimics we have talked about in this post resemble the original ones a great deal.
So proper attention is needed on part of the users.
Mimics like true-crypt dot com and ralrab dotcom.
Users who want to download software applications must make sure that they confirm the cryptographic signatures of all the files they download from the internet.
Of course, solutions such as dynamic whitelisting and anti-malware programs can work.
But they will become more of a necessity than extra protection.
We also need more anti-malware products and services.
Security firms need to increase the effectiveness of their products.
Businesses also need to ensure that their operations are carried out under secure circumstances.
Some might say that there is a need to invert the entire process as well.
Businesses must learn how to adapt and thrive in an environment where hackers are looking to harm them at every nook and corner.