Don't click on that blue button! | via SecureList

A new strain of malware has been discovered by Kaspersky Labs, named 'StrongPity,' which targets users looking for two legitimate computer programs, WinRAR and TrueCrypt. WinRAR is a file archiver utility for Windows, which compresses and extracts files, while the latter is a discontinued encryption tool.

The malware contains components that not only has the ability to give attackers complete control on the victim's computer, but also steal disk contents and download other software that the cybercriminals need. It was found that users in Italy and Belgium were affected the most, but there were also records found in Turkey, North Africa, and the Middle East.

To be able to gather victims, the attackers have built special fake websites that supposedly host the two programs. One instance that was discovered by the researchers is that the criminals transposed two letters in a domain name, in order to fool the potential victim into thinking that the program was a legitimate WinRAR installer website.

In the image above, clicking on the blue button will direct users to 'ralrab[.]com,' an obvious trickery done by cybercriminals to fool victims. Going through this link will lead unsuspecting users to the malicious software. Interestingly enough, there was a recorded case in Italy back in May where users were not directed to a fraudulent site anymore, but they were led to the StrongPity malware itself.

StrongPity was also found directing visitors from popular software sharing websites to a poisoned installer of the TrueCrypt software. Malicious WinRAR links have been removed, but there were still redirects found on TrueCrypt installers by the end of September.

According to Kurt Baumgartner, this method of cybercriminals can be compared to the Crouching Yeti/Energetic Bear attacks, which compromised legitimate software distribution websites. He states:

"These tactics are an unwelcome and dangerous trend that the security industry needs to address. The search for privacy and data integrity should not expose an individual to offensive waterhole damage. Waterhole attacks are inherently imprecise, and we hope to spur discussion around the need for easier and improved verification of encryption tool delivery.”

At this point, wherever in the world we may be, we advise our readers to exercise caution when it comes to downloading software from untrusted websites. Malware such as StrongPity are simply waiting for its next victim, potentially compromising your security in the long run once infected.

Source: Kaspersky (1) (2)