'StrongPity' Malware Infects Users Through Legitimate WinRAR and TrueCrypt Installers

Kaspersky Labs has revealed a new strain of malware -- named 'StrongPity' which targets users looking for two popular applications - WinRaR and TrueCrypt. The malware contains components that not only has the ability to give attackers complete control on the victim's computer, but also steal disk contents and download other software that the cybercriminals need. From a Neowin report: To be able to gather victims, the attackers have built special fake websites that supposedly host the two programs. One instance that was discovered by the researchers is that the criminals transposed two letters in a domain name, in order to fool the potential victim into thinking that the program was a legitimate WinRAR installer website.

Title smells like bullshit

[truedfx]

"through legitimate WinRAR and TrueCrypt installers"? By what logic are those installers legitimate?

Re:

[urbster1]

came here to post this

Re:

[omnichad]

Bad writing, but I'm sure the meaning is that it also legitimately installs the actual intended software. Might even be the exact same installer but with a modified payload.

Re:

[richy freeway]

Isn't that precisely how malware has been spreading since day one?

Re:

[viperidaenz]

Yellow journalism, or the yellow press, is a type of journalism that presents little or no legitimate well-researched news and instead uses eye-catching headlines to sell more newspapers. Techniques may include exaggerations of news events, scandal-mongering, or sensationalism.

That pretty much describes every media outlet around these days.

Re:

[SumDog]

Yea, I was expecting to see something in the article where they somehow injected their malware without changing the MD5 or SHA sums and put them back in the official mirrors. That would have been way more impressive.

Re:

[Lumpy]

not legitimate... It is horrible writing and freaking fearmongering FUD crap that is the norm for slashdot now days.

These are MODIFIED installers, the article needs to be corrected

Re:

[AHuxley]

The user seeks out the real crypto software solution.
Looking at some site, the user then finds some site GUI with a swapped out download that offers poor crypto but has the look and feel of the real crypto software.
"On the StrongPity Waterhole Attacks Targeting Italian and Belgian Encryption Users" (October 3, 2016)
https://securelist.com/blog/re... [securelist.com]
"Adding in their creative waterholing and poisoned installer tactics, we describe the StrongPity APT as not only determined and well-resourced, but fairly

Legitimate

[dejitaru]

If it's malware infected, it's not legitimate.

Re:

[green1]

In this case, you're right. But conversely, just because it's legitimate, does not mean it's malware free.

Of course this makes for clickbait, because legitimate installers installing malware are rare, whereas fake installers installing malware is an every day occurrence.

Legitimate Installers

[Anonymous Coward]

... no. How could the malware being served qualify as a legitimate installer?

sounds like

[Anonymous Coward]

someone just downloaded an .exe off a website and ran it.

If I can get someone to do that, you don't need winrar as part of the equation anymore.

Actual source

[Anonymous Coward]

Nothing like an ad-infested news page with referral program links to the original source. Here is the actual article, with a sanitized URL:

http://usa.kaspersky.com/about-us/press-center/press-releases/2016/Kaspersky_Lab_Reveals_Advanced_Persistent_Threat_StrongPity [kaspersky.com]

Re:

[houstonbofh]

I hate wrapper websites. And why does everyone share the website that just has a youtube video embedded with a dozen adds on it instead of sharing the youtube video?

Re:

[SumDog]

7zip is open source and I'm pretty sure it handles rar/zip/gzip too.

Re:

[A Friendly Troll]

7-Zip has no recovery options. If you're doing backups, but note testing them (which is a classic home scenario), RAR and it's extra recovery data can save you.

Re:Wait..

[NotAPK]

7-zip decompresses RAR files, and makes 7z (LMZA and LMZA2) files which are smaller, "better"* (support multi threaded compression/decompression and AES encryption) and is multi-platform and open source. Absolutely no reason why it shouldn't be your compression format of choice.

Re:

[NotAPK]

Cheers, I haven't seen disk fragmentation myself, but I'll look out for it from now on.

And yes, I think you're correct, I don't think 7zip has any recovery or repair mode, but it does make a "best effort" and in my experience will partially recover damaged archives. Of course, since it will depend enormously on the exact file structure, archive structure, and level of damage, this should be regarded more as an anecdote than advice.

Re:

[youngone]

From my experience, every dodgy construction company in China uses the same pirated version of WinRAR.

Except for the one construction supplies company who sent infected .rars to several of my users. (To be fair that was about 8 years ago. Things may have got better but I wouldn't hold my breathe).

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Bob the Super Hamste]

I thought it came out that the authors basically got sick of supporting it and went all scorched earth. That said people should have moved on from TrueCrypt when this was disclosed [vice.com] last year. The VeraCrypt project [codeplex.com] has that fix as well as taking care of what was found during the limited TrueCrypt audit.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Kjella]

Why are people still using something that the authors of same apparently think is compromised?

Because if they really found a serious bug they'd either patch it or tell people where it is and why it needs fixing. The whole "there's a problem here, but I won't tell you what it is", "trust Microsoft, switch to Bitlocker" and so on was just screaming "there's something we can't tell you". It's designed to ruin their credibility so that nobody would trust another Truecrypt release. Why would they do that? The only logical explanation I can think of is that somebody was trying to force them to add a backd

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[ACE209]

Dont't be mean.

Why is this here?

[thegarbz]

Hasn't this been done 1000 times before? What's new here? Why is this newsworthy?

Re:

[omnichad]

They're going as far as creating lookalike web sites to host it. I haven't seen this exact thing before personally.

Re:Why is this here?

[green1]

The headline stated something rare (legitimate installers of popular programs being infested by malware)

Of course the headline was nothing to do with reality, the article, or even the summary, which is all about the every day occurrence of fake installers being used to try to trick people in to installing malware, which is not new at all.

Re: Why is this here?

[bestweasel]

I wondered that. The link below mentions unusual and fake certificates.

The malware first appeared on tamindir.com at the end of 2015 redirecting mainly Turkish users to a clone of the truecrypt site then last month links were put on winrar.it and winrar.be to point to copies of the winrar site which affected mainly Italian and Belgian users respectively. The malware was after details of encryption and passwords.

There's no word on how the attackers put links to the malware on legitimate sites.

I'd guess it'

Re:

[Anonymous Coward]

Why do people feel the need to post "why is this news?" comments? This actually may interest some people. Maybe _you_ already knew it, but there are new people on the site every day. It's pretty egotistical to think that only things that interest you is news. The better question is "why are you posting this?"

Re:

[green1]

I'm more surprised that Slashdot passed on the error without thinking how stupid it sounded.

You must be new here.

Re:

[houstonbofh]

Clickbait is not an error. It is intentional. You clicked...

Malware controls victim's Windows computer

[khz6955]

"The malware contains components that not only has the ability to give attackers complete control on the victim's computer"

Msmash forgot to mention that this malware is only effective on Microsoft Windows. Go here [distrowatch.com] for an alternative to the Microsoft industry standard.

Re:

[houstonbofh]

To be fair, not a lot of people install WinRAR on Linux.

Re:

[cfalcon]

I'm pretty sure you can in WINE. And Truecrypt has Linux versions for sure.

Re:

[AHuxley]

The "compromised" issues if finally been understood from the small developer to huge US brands crypto perspective and as junk international "standards".
Other code might be security service friendly by design as a small front company, gov fronted start up or via developers who had to make deals or had cash offers made by govs or got trapped under a US NSL at work.
Its hard to find good crypto that works. Look at the help the security services got over everyday crypto by big US brands under PRISM or VPV sec

Re:

[houstonbofh]

Are you going to list every possible misspelling of the websites? Enumerating badness does not work. Has not for a long time... http://www.ranum.com/security/... [ranum.com]

So NOT legitimate, then

[wonkey_monkey]

'StrongPity' Malware Infects Users Through Legitimate WinRAR and TrueCrypt Installers

in order to fool the potential victim into thinking that the program was a legitimate WinRAR installer website.

It certainly fooled whoever submitted the story.

Now, will someone at Slashdot bother to fix it?

Re:

[campuscodi]

I'll just leave this here: "The owner of dotslash.org is offering it for sale for an asking price of 10000 USD!"

Why use WinRAR?

[nuckfuts]

Why do people even download WinRAR? For the odd occasion I need to extract a WinRAR archive, the free and open source 7-zip [7-zip.org] works fine. It also handles a number of other formats, and is fast. (For example, it is MUCH faster at extracting ZIP archives than Windows Explorer).

Considering removing slashdot from favourites

[just another AC]

This is supposedly a tech news site.
There is no way that editing can accidentally be that shit. Malware in "Legitimate installer" - wow that is news. Click through to standard bullshit.

Things like this are a good way to drive away the readership. Only reason I still visit is that the community is still large enough to have interesting discussions around the articles (although the trolling etc is getting worse as time goes on)

(Just wish a few other alternatives would get more active communities)

Ok, folks, where is the story?

[Opportunist]

First of all, the headline is misleading. For it to be true, you'd have to get infected somehow by installing genuine WinRAR and TrueCrypt software you downloaded from trusted (and trustworthy), genuine sources. Now THAT definitely WOULD be a story!

But what do we have instead? Malware writers using typosquatting techniques to get people to install genuine looking software. Now, it's been a while that I've left the malware analysis business, but even back then, well over a decade ago, this would not have mad