StrongPity APT Waterhole Attacks

Targeted attack vectors are rising in terms of APTs

Targeted attack vectors are rising in terms of APTs

Kaspersky Lab recently revealed an advanced persistent threat (APT) group called as StrongPity which is so focused on encrypted data and communications, that it has been targeting and contaminating crypto downloads. This APT uses watering hole attacks to smear crypto downloads with malware that had backdoor capabilities and infect users before encryption occurs, in addition to spying on encrypted data and communications.

The StrongPity APT to be precise is a sophisticated and technical capable group, operating under the radar for several years. The group has in silence deployed multiple zero days in the past, meritoriously spear phished targets, and maintains a modular toolset. What is furthermost fascinating, about this group is their recent activities which focused on Italian and Belgian users of encryption tools.  The strongPity watering holes did affect systems in far more locations than just the two focused upon.

The APT in itself

The StrongPity espionage APT has been active for a few years but has mostly been able to avoid notice. They are a technically capable adversary with deep resources. Historically, they have used typical zero-day attacks and modular malware, like many APT groups. However, in late 2015 and through 2016, their focus and tactics saw some significant changes. In particular, their tactics expanded to include watering hole attacks and mass phishing email campaigns.

Their focus changed to target the secure cryptography in the TrueCrypt and WinRAR packages. They poisoned installers for TrueCrypt and WinRAR to install surveillance malware along with the TrueCrypt or WinRAR software.

The malicious versions of TrueCrypt and WinRAR also give the attacker access to the plain text data prior to encryption and after decryption. They set up malicious mimics of the RAR Labs website and the SourceForge site for TrueCrypt. Finally, they used links to these “bent” sites in phishing emails. They also modified legitimate file sharing websites like tamindir[.]com to redirect to their malicious mimic sites.

Encryption Tools

It is clear that this APT is interested in encrypted data and communications. The tools under attack by this group generally enable practices for securing confidentiality and integrity of data. For example, WinRAR compresses and encrypts files and folders with strong suites like AES-256, and TrueCrypt primarily encrypts full hard drives all in one swoop. Both these tools -WinRAR and TrueCrypt offer robust and consistent encryption.

WinRAR enables a person to encrypt a file with AES-256 in CBC mode with a strong PBKDF2 HMAC-SHA256 based key. And, TrueCrypt provides an effective open-source full disk encryption solution for Windows, Apple, Linux, and Android systems. Using both of these tools together, a sort of one-off, poor man’s end-to-end encryption can be maintained for free by putting these two solutions together with free file sharing services.

StrongPity Deception

This APT threat actor accustoms setting up a particularly ingenious portal to deliver ‘trojanized’ WinRAR installers in the summer of 2016. Simply put, the tactics were evenly like – when visiting a legitimate software distribution site, the victim downloads and installs the tool (which in this case the actual tool is replaced by a malware).

Intelligent APT attack vectors

Intelligent APT attack vectors

The modus operandi is similar to one of the earlier Crouching Yeti activities wherein, the intrusions were empowered by ‘trojanizing’ legitimate ICS related IT software installers like SCADA environment VPN client installers and industrial camera software driver installers. Then, they would compromise the legitimate company software distribution sites and replace the legitimate installers with the Crouching Yeti trojanized versions. These maneuvers effectively compromised ICS and SCADA related facilities and networks around the world.

In the case of StrongPity APT, they set up a domain name (ralrab[.]com) mimicking the legitimate WinRAR distribution site (rarlab[.]com), and then placed links on a legitimate “certified distributor” site in Europe to redirect to their poisoned installers hosted on ralrab[.]com. In Belgium, the attackers placed a “recommended” link to their ralrab[.]com site in the middle of the localized WinRAR distribution page on winrar[.]be. The highlighted link referred to the malicious installer, while all the other links on the page directed to legitimate software:

Winrar[.]be site with “recommended link” leading to malicious ralrab[.]com

Winrar[.]be site with “recommended link” leading to malicious ralrab[.]com

The winrar[.]be site evaluated what “recommended” package a visitor may need based on browser localization and processor capability, and accordingly offered up appropriate trojanized versions. Installer resources named for french and dutch versions, along with 32-bit versus 64-bit compiled executables were provided over the summer:

  • hxxp://www.ralrab[.]com/rar/winrar-x64-531.exe
  • hxxp://www.ralrab[.]com/rar/winrar-x64-531fr.exe
  • hxxp://www.ralrab[.]com/rar/winrar-x64-531nl.exe
  • hxxp://www.ralrab[.]com/rar/wrar531.exe
  • hxxp://www.ralrab[.]com/rar/wrar531fr.exe
  • hxxp://www.ralrab[.]com/rar/wrar531nl.exe
  • hxxp://ralrab[.]com/rar/winrar-x64-531.exe
  • hxxp://ralrab[.]com/rar/winrar-x64-531nl.exe
  • hxxp://ralrab[.]com/rar/wrar531fr.exe
  • hxxp://ralrab[.]com/rar/wrar531nl.exe
  • hxxp://ralrab[.]com/rar/wrar53b5.exe

Directory listing, poisoned StrongPity installers, at rarlrab[.]com

Directory listing, poisoned StrongPity installers, at rarlrab[.]com

StrongPity also directed specific visitors from popular, localized software sharing sites directly to their trojanized installers. Much like the poisoned WinRAR installers, multiple filenames have been used to keep up with visitor interests. Visitors may have been directed to the site by other means also and downloaded directly from the ripped and persuasive site.

At the very bottom of the page, there are a couple of links to the following poisoned installers:

  • hxxp://www.true-crypt[.]com/download/TrueCrypt-Setup-7.1a.exe
  • hxxp://true-crypt[.]com/files/TrueCrypt-7.2.exe

Referrers include these localized software aggregates and shares:

  • gezginler[.]net/indir/truecrypt.html
  • tamindir[.]com/truecrypt/indir
True-crypt[.]com malicious StrongPity distribution site

True-crypt[.]com malicious StrongPity distribution site

StrongPity Malware

The StrongPity droppers were often signed with unusual digital certificates, dropping multiple components that not only provide complete control of the victim system, but effectively steal disk contents, and can download components for further collection of various communications and contacts.

The bulk of the victims in these latest campaigns hail from Italy and Belgium. However, victims are spread around Europe and northern Africa, particularly around the “Mediterranean Rim”: France, Italy, Algeria, Tunisia, and Morocco.

StrongPity APT malware contained keyloggers and data stealers such as for scooping up contacts and communications. Yet as further proof of “the group’s interest in users of more encryption-supported software suites,” its malware package was configured to hunt for the following crypto-related software:

  • putty.exe (a windows SSH client)
  • filezilla.exe (supports FTP uploads)
  • winscp.exe (a windows secure copy application, providing encrypted and secure file transfer)
  • mstsc.exe (Windows Remote Desktop client, providing an encrypted connection to remote systems)
  • mRemoteNG.exe (a remote connections manager supporting SSH, RDP, and other encrypted protocols)

Also included in StrongPity components are keyloggers and additional data stealers.

IBM Force – Identified Tactics, Techniques and Procedures (TTPs)

  • Credential and information theft including against Filezilla, PuTTY, WinSCP, and Windows Remote Desktop.
  • Spear phishing attacks.
  • Watering hole attacks.
  • Poisoned installers for TrueCrypt and WinRAR.
  • Use of Zero-day vulnerabilities.
  • Modular malware.
  • The dropper malware is often signed with “unusual” (but undisclosed) certificates.


Widely available, strong cryptography software tools help provide secure and private communications that are now easily obtained and usable. While watering holes and poisoned installers are tactics that have been effectively used by other APTs, it has not been seen in the same form on cryptographic-enabled software.

When visiting sites and downloading encryption-enabled software, it has now become necessary to verify the validity of the distribution site and the integrity of the downloaded file itself. Download sites not using PGP or strong digital code signing certificates need to re-examine the necessity of doing so for their own customer base.

We have seen other APTs such as Crouching Yeti and Darkhotel distribute poison installers and poison executable code, then redistribute them through similar tactics and over p2p networks. Hopefully, simpler verification systems than the current batch of PGP and SSL applications will arise to be adopted in larger numbers.

Users attempting to download the TrueCrypt and WinRAR software, or any other software, must be very careful to ensure that they use legitimate and untainted sites, rather than malicious mimics, like the ralrab[.]com and true-crypt[.]com sites. Of course, users downloading software must also confirm the cryptographic signatures of anything they download.

Until then, strong anti-malware and dynamic whitelisting solutions will be more necessary than ever. Technology thus, can create a better customer experience, improve products and services, increase the effectiveness of business operations and also invert the whole process. it is now important for each business to learn what their enterprise must do to adapt and thrive.

Leave a Reply