Kaspersky Lab has found a stealthy threat actor known as StrongPity, which includes components that give attackers complete control of a victim’s system.
StrongPity targeted users looking for encryption tools WinRAR and TrueCrypt.
The StrongPity malware enables attackers to steal disk content and to download additional modules to gather communications and contacts.
Kaspersky Lab has detected visits to StrongPity sites and the presence of StrongPity components across more than a thousand target systems.
Watering holes and poisoned installers
To trap victims, the attackers built fraudulent websites. In one instance, they transposed two letters in a domain name to fool customers into thinking it was a legitimate installer site for WinRAR software.
They then placed a prominent link to this malicious domain on a WinRAR distributor site in Belgium to lead unsuspecting users to their poisoned installer.
An Italian WinRAR distributor site served the malicious StrongPity installer directly from the distributor site.
StrongPity also directed visitors from popular software-sharing sites to its trojanized TrueCrypt installers. This activity was still ongoing at the end of September.
The malicious links from the WinRAR distributor sites have now been removed, but at the end of September, the fraudulent TrueCrypt site was still up.