TrueCrypt Users Being Infected With Malware “StrongPity”.

It’s not often than abandoned software makes news, but never say never. Apparently, certain hackers are distributing installers for TrueCrypt and WinRAR – respectively, a discontinued encryption program and a file compression tool – that have been infected with malware called “StrongPity”. The problem for people who are affected by the malware is that the actual, legitimate software is installed as well, so they’re none the wiser to the surreptitious security breach (unless their antivirus software flags it…which it could fail to do).

Per neowin.net:

The malware contains components that not only has the ability to give attackers complete control on the victim’s computer, but also steal disk contents and download other software that the cybercriminals need. It was found that users in Italy and Belgium were affected the most, but there were also records found in Turkey, North Africa, and the Middle East.

Fake websites were created to distribute the malware-laden installers, taking advantage of potential misspellings in the URL (such as transposing two letters). It’s an old trick that has been used in many cases. As an example, PayPal credentials were stolen by switching the uppercase eye (“I”) and lower case el (“L”); since they look the same in some browsers and fonts, it fooled the most hawk-eyed web surfers into revealing their usernames and passwords to the impostor site.

 

Why Those Countries?

A point of interest may be that the users who are affected by StrongPity were mostly found in Italy and Belgium, and less so in Turkey, North Africa, and the Middle East (and even less in other countries, like Canada and the Netherlands).

Paranoid pattern readers who’ve been following the news and global politics would conclude that StrongPity seems to be targeting a particular group. Turkey and the Middle East have been in turmoil for a while; North Africa as well; and Belgium has been linked earlier this year to one of the worst terrorist events in recent memory. Italy, continuing with this paranoid vision, is supposedly one of the main European conduits for refugees, and within this group hide nefarious posers with ulterior intentions.

The specifics from Kaspersky don’t really do much to dispel such thoughts:

Kaspersky Lab data reveals that in the course of a single week, malware delivered from the distributor site in Italy appeared on hundreds of systems throughout Europe and Northern Africa/Middle East, with many more infections likely. Over the entire summer, Italy (87%), Belgium (5%) and Algeria (4%) were most affected. The victim geography from the infected site in Belgium was similar, with users in Belgium accounting for half (54%) of more than 60 successful hits.

Attacks on users through the fraudulent TrueCrypt site ramped up in May 2016, with 95% of victims located in Turkey.

 

Encryption the Common Link?

Could it be that the malware distributors have a vested interest in these particular countries? Or is it that computer users in these countries are more likely to look for WinRAR and TrueCrypt? And why those two programs in particular? A common element between the two lies in encryption. TrueCrypt is already famous in data security circles and WinRAR, despite being a file compression tool, also incorporates AES-256 encryption. While it’s not the first thing most people would reach for, WinRAR serves in a pinch for securing sensitive files.

 

Stop Using Out of Date Software

It goes without saying that people should stop using TrueCrypt. For starters, its maintenance has been discontinued by the original developers. This means that, if there is a zero-day exploit within (that is, a weakness that can be used to defeat the encryption right now), it will not be fixed. Every single copy of TrueCrypt that is not infected with malware would still be and remain compromised.

Second, the provenance of TrueCrypt is still a mystery. Who made it? Who maintained it? Why did they discontinue it? None of these questions have been answered to satisfaction. An examination of the encryption software has been run by trusted professionals – planned before but conducted after TrueCrypt’s official retirement – and nothing was found amiss (at least, nothing major). No encryption backdoors, for example. But, there are limits to what can be found with limited resources.

(Why the trust in TrueCrypt, if the above is true? One can only assume it was due to the security software’s open nature. The code for TrueCrypt was open for examination by anyone; the fact that those who had the necessary skills to do so hadn’t didn’t detract from the encryption solution’s perceived inviolate nature, technical or otherwise).

 

 

Related Articles and Sites:
https://www.neowin.net/news/strongpity-malware-infects-users-through-legitimate-winrar-and-truecrypt-installers
http://usa.kaspersky.com/about-us/press-center/press-releases/2016/Kaspersky_Lab_Reveals_Advanced_Persistent_Threat_StrongPity
https://securelist.com/blog/research/76147/on-the-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users/



Comments (0)


Let us know what you think