You are here: Home » News-ANI » Science
Business Standard

StrongPity's summer watering-holes trap a thousand users in search of encryption

ANI  |  New Delhi [India] 

A stealthy threat actor known as StrongPity has spent the summer luring users of encryption software to its watering holes and infected installers, according to a paper presented at Virus Bulletin by Kaspersky Lab security researcher, Kurt Baumgartner.

Users in and Belgium were hardest hit, but people in Turkey, North and the Middle East were also affected.

StrongPity is a technically capable APT interested in encrypted data and communications. Over the last few months, Kaspersky Lab has observed a significant escalation in its attacks on users looking for two respected encryption tools: WinRAR document and TrueCrypt system encryption.

The StrongPity malware includes components that give the attackers complete control of the victim's system, enables them to steal disk contents and also to download additional modules to gather up communications and contacts.

Kaspersky Lab has so far detected visits to StrongPity sites and the presence of StrongPity components across more than a thousand target systems.

To trap victims, the attackers built fraudulent websites. In one instance, they transposed two letters in a domain name to fool customers into thinking it was a legitimate installer site for WinRAR software. They then placed a prominent link to this malicious domain on a WinRAR distributor site in Belgium in order to lead unsuspecting users to their poisoned installer.

Kaspersky Lab first detected a successful redirection on May 28th, 2016.

At almost the same time, on May 24th, Kaspersky Lab began to spot activity on an Italian WinRAR distributor site. In this instance, however, users were not redirected to a fraudulent website, but were served the malicious StrongPity installer directly from the distributor site.

StrongPity also directed visitors from popular software-sharing sites to its trojanized TrueCrypt installers. This activity was still ongoing at the end of September.

The malicious links from the WinRAR distributor sites have now been removed, but at the end of September the fraudulent TrueCrypt site was still up.

Kaspersky Lab data reveals that in the course of a single week, malware delivered from the distributor site in appeared on hundreds of systems throughout Europe and Northern Africa/Middle East, with many more infections likely. Over the entire summer, (87%), Belgium (5%) and Algeria (4%) were most affected. The victim geography from the infected site in Belgium was similar, with users in Belgium accounting for half (54%) of more than 60 successful hits.

Attacks on users through the fraudulent TrueCrypt site ramped up in May 2016, with 95% of victims located in Turkey.

"The techniques employed by this threat actor are quite clever. They resemble the approach undertaken in early 2014 by the Crouching Yeti/Energetic Bear APT, which involved trojanizing legitimate IT software installers for industrial control systems and compromising genuine distribution sites. These tactics are an unwelcome and dangerous trend that the security industry needs to address. The search for privacy and data integrity should not expose an individual to offensive waterhole damage. Waterhole attacks are inherently imprecise, and we hope to spur discussion around the need for easier and improved verification of encryption tool delivery," said Kurt Baumgartner, Principal Security Researcher, Kaspersky Lab.

Kaspersky Lab detects all StrongPity components as: HEUR:Trojan.Win32.StrongPity.gen and Trojan.Win32.StrongPity.* and as other generic detections.

To learn more about the StrongPity watering hole attacks, read the blog on Securelist.com.

(This story has not been edited by Business Standard staff and is auto-generated from a syndicated feed.)

RECOMMENDED FOR YOU

StrongPity's summer watering-holes trap a thousand users in search of encryption

A stealthy threat actor known as StrongPity has spent the summer luring users of encryption software to its watering holes and infected installers, according to a paper presented at Virus Bulletin by Kaspersky Lab security researcher, Kurt Baumgartner.Users in Italy and Belgium were hardest hit, but people in Turkey, North Africa and the Middle East were also affected.StrongPity is a technically capable APT interested in encrypted data and communications. Over the last few months, Kaspersky Lab has observed a significant escalation in its attacks on users looking for two respected encryption tools: WinRAR document and TrueCrypt system encryption.The StrongPity malware includes components that give the attackers complete control of the victim's system, enables them to steal disk contents and also to download additional modules to gather up communications and contacts.Kaspersky Lab has so far detected visits to StrongPity sites and the presence of StrongPity components across more than ...

A stealthy threat actor known as StrongPity has spent the summer luring users of encryption software to its watering holes and infected installers, according to a paper presented at Virus Bulletin by Kaspersky Lab security researcher, Kurt Baumgartner.

Users in and Belgium were hardest hit, but people in Turkey, North and the Middle East were also affected.

StrongPity is a technically capable APT interested in encrypted data and communications. Over the last few months, Kaspersky Lab has observed a significant escalation in its attacks on users looking for two respected encryption tools: WinRAR document and TrueCrypt system encryption.

The StrongPity malware includes components that give the attackers complete control of the victim's system, enables them to steal disk contents and also to download additional modules to gather up communications and contacts.

Kaspersky Lab has so far detected visits to StrongPity sites and the presence of StrongPity components across more than a thousand target systems.

To trap victims, the attackers built fraudulent websites. In one instance, they transposed two letters in a domain name to fool customers into thinking it was a legitimate installer site for WinRAR software. They then placed a prominent link to this malicious domain on a WinRAR distributor site in Belgium in order to lead unsuspecting users to their poisoned installer.

Kaspersky Lab first detected a successful redirection on May 28th, 2016.

At almost the same time, on May 24th, Kaspersky Lab began to spot activity on an Italian WinRAR distributor site. In this instance, however, users were not redirected to a fraudulent website, but were served the malicious StrongPity installer directly from the distributor site.

StrongPity also directed visitors from popular software-sharing sites to its trojanized TrueCrypt installers. This activity was still ongoing at the end of September.

The malicious links from the WinRAR distributor sites have now been removed, but at the end of September the fraudulent TrueCrypt site was still up.

Kaspersky Lab data reveals that in the course of a single week, malware delivered from the distributor site in appeared on hundreds of systems throughout Europe and Northern Africa/Middle East, with many more infections likely. Over the entire summer, (87%), Belgium (5%) and Algeria (4%) were most affected. The victim geography from the infected site in Belgium was similar, with users in Belgium accounting for half (54%) of more than 60 successful hits.

Attacks on users through the fraudulent TrueCrypt site ramped up in May 2016, with 95% of victims located in Turkey.

"The techniques employed by this threat actor are quite clever. They resemble the approach undertaken in early 2014 by the Crouching Yeti/Energetic Bear APT, which involved trojanizing legitimate IT software installers for industrial control systems and compromising genuine distribution sites. These tactics are an unwelcome and dangerous trend that the security industry needs to address. The search for privacy and data integrity should not expose an individual to offensive waterhole damage. Waterhole attacks are inherently imprecise, and we hope to spur discussion around the need for easier and improved verification of encryption tool delivery," said Kurt Baumgartner, Principal Security Researcher, Kaspersky Lab.

Kaspersky Lab detects all StrongPity components as: HEUR:Trojan.Win32.StrongPity.gen and Trojan.Win32.StrongPity.* and as other generic detections.

To learn more about the StrongPity watering hole attacks, read the blog on Securelist.com.

(This story has not been edited by Business Standard staff and is auto-generated from a syndicated feed.)

image
Business Standard
177 22

StrongPity's summer watering-holes trap a thousand users in search of encryption

A stealthy threat actor known as StrongPity has spent the summer luring users of encryption software to its watering holes and infected installers, according to a paper presented at Virus Bulletin by Kaspersky Lab security researcher, Kurt Baumgartner.

Users in and Belgium were hardest hit, but people in Turkey, North and the Middle East were also affected.

StrongPity is a technically capable APT interested in encrypted data and communications. Over the last few months, Kaspersky Lab has observed a significant escalation in its attacks on users looking for two respected encryption tools: WinRAR document and TrueCrypt system encryption.

The StrongPity malware includes components that give the attackers complete control of the victim's system, enables them to steal disk contents and also to download additional modules to gather up communications and contacts.

Kaspersky Lab has so far detected visits to StrongPity sites and the presence of StrongPity components across more than a thousand target systems.

To trap victims, the attackers built fraudulent websites. In one instance, they transposed two letters in a domain name to fool customers into thinking it was a legitimate installer site for WinRAR software. They then placed a prominent link to this malicious domain on a WinRAR distributor site in Belgium in order to lead unsuspecting users to their poisoned installer.

Kaspersky Lab first detected a successful redirection on May 28th, 2016.

At almost the same time, on May 24th, Kaspersky Lab began to spot activity on an Italian WinRAR distributor site. In this instance, however, users were not redirected to a fraudulent website, but were served the malicious StrongPity installer directly from the distributor site.

StrongPity also directed visitors from popular software-sharing sites to its trojanized TrueCrypt installers. This activity was still ongoing at the end of September.

The malicious links from the WinRAR distributor sites have now been removed, but at the end of September the fraudulent TrueCrypt site was still up.

Kaspersky Lab data reveals that in the course of a single week, malware delivered from the distributor site in appeared on hundreds of systems throughout Europe and Northern Africa/Middle East, with many more infections likely. Over the entire summer, (87%), Belgium (5%) and Algeria (4%) were most affected. The victim geography from the infected site in Belgium was similar, with users in Belgium accounting for half (54%) of more than 60 successful hits.

Attacks on users through the fraudulent TrueCrypt site ramped up in May 2016, with 95% of victims located in Turkey.

"The techniques employed by this threat actor are quite clever. They resemble the approach undertaken in early 2014 by the Crouching Yeti/Energetic Bear APT, which involved trojanizing legitimate IT software installers for industrial control systems and compromising genuine distribution sites. These tactics are an unwelcome and dangerous trend that the security industry needs to address. The search for privacy and data integrity should not expose an individual to offensive waterhole damage. Waterhole attacks are inherently imprecise, and we hope to spur discussion around the need for easier and improved verification of encryption tool delivery," said Kurt Baumgartner, Principal Security Researcher, Kaspersky Lab.

Kaspersky Lab detects all StrongPity components as: HEUR:Trojan.Win32.StrongPity.gen and Trojan.Win32.StrongPity.* and as other generic detections.

To learn more about the StrongPity watering hole attacks, read the blog on Securelist.com.

(This story has not been edited by Business Standard staff and is auto-generated from a syndicated feed.)

image
Business Standard
177 22

Upgrade To Premium Services

Welcome User

Business Standard is happy to inform you of the launch of "Business Standard Premium Services"

As a premium subscriber you get an across device unfettered access to a range of services which include:

  • Access Exclusive content - articles, features & opinion pieces
  • Weekly Industry/Genre specific newsletters - Choose multiple industries/genres
  • Access to 17 plus years of content archives
  • Set Stock price alerts for your portfolio and watch list and get them delivered to your e-mail box
  • End of day news alerts on 5 companies (via email)
  • NEW: Get seamless access to WSJ.com at a great price. No additional sign-up required.
 

Premium Services

In Partnership with

 

Dear Guest,

 

Welcome to the premium services of Business Standard brought to you courtesy FIS.
Kindly visit the Manage my subscription page to discover the benefits of this programme.

Enjoy Reading!
Team Business Standard