Organized APT groups have been using watering-hole attacks for many years, targeting highly specific groups of victims by compromising legitimate sites or setting up their own malicious copycat sites. Researchers have now uncovered a group that is using this tactic to deliver compromised encryption apps to victims.
The group, known as StrongPity, has been operating for several years, but researchers at Kaspersky Lab say the group most recently has been targeting users in a handful of countries who are looking for legitimate encryption apps such as WinRAR and TrueCrypt. By setting up distribution sites that closely mimic authentic download sites, the StrongPity group is able to trick users into downloading trojanized versions of the encryption apps.
“The group has quietly deployed zero-day in the past, effectively spearphished targets, and maintains a modular toolset. What is most interesting about this group’s more recent activity however, is their focus on users of encryption tools, peaking this summer. In particular, the focus was on Italian and Belgian users, but the StrongPity watering holes affected systems in far more locations than just those two. Adding in their creative waterholing and poisoned installer tactics, we describe the StrongPity APT as not only determined and well-resourced, but fairly reckless and innovative as well,” Kurt Baumgartner of Kaspersky’s GReAT research team said in a post detailing the group’s activities.
“They set up a domain name (ralrab[.]com) mimicking the legitimate WinRAR distribution site (rarlab[.]com), and then placed links on a legitimate ‘certified distributor’ site in Europe to redirect to their poisoned installers hosted on ralrab[.]com. In Belgium, the attackers placed a ‘recommended’ link to their ralrab[.]com site in the middle of the localized WinRAR distribution page on winrar[.]be.”
Watering hole attacks are designed to lure specific groups of users to sites that cater to their interests. The sites typically house malicious files and target groups such as scientists, financial industry workers, or government employees, for example. The StrongPity group’s campaigns that target encryption users began in May and evolved over the course of the summer. Though they focused mainly on victims in Italy and Belgium, they also affected users in several other countries, including Algeria, France, Morocco, and the Netherlands.
“StrongPity previously set up TrueCrypt themed watering holes in late 2015. But their offensive activity surged in late summer 2016. The group set up a site directly pulled from the contents of the legitimate TrueCrypt website. From mid July to early September, dozens of visitors were redirected from tamindir[.]com to true-crypt[.]com with unsurprisingly almost all of the focus on systems in Turkey, with victims in the Netherlands as well,” Baumgartner said.
The malware delivered by the StrongPity attackers typically is signed by digital certificates and it has a variety of capabilities, including the ability to steal disk contents, give complete control of the infected system, and more. Baumgartner pointed out that while other APT groups have used watering hole attacks in the past, StrongPity seems to be the first one known to have homed in on users of encryption apps.
“While watering holes and poisoned installers are tactics that have been effectively used by other APT, we have never seen the same focus on cryptographic-enabled software. When visiting sites and downloading encryption-enabled software, it has become necessary to verify the validity of the distribution site and the integrity of the downloaded file itself. Download sites not using PGP or strong digital code signing certificates need to re-examine the necessity of doing so for their own customers,” he said.
Image from Flickr stream of Intel Free Press.