The infamous StrongPity APT hacker collective has launched an attack that targets mainly Italian and Belgian uses that use encryption tools.
StrongPity APT Are Active Once Again
The StrongPity APT is a hacker group that has operated several sophisticated attacks in the last several years. The criminal collective has used spear phishing attacks, zero-day exploits and modular tools to attack various targets throughout their years of operation.
The most recent attack is focused mainly on Italian and Belgian users and other targets. What is interesting about the targets is that the hackers focus on encryption tools. Computer users who use programs like WINRAR and TrueCrypt are the main target.
They infiltrate target hosts by creating counterfeit sites that spread the malicious tool posing as a WINRAR installation file. The collective have set up a domain name (ralrab.com) that mimics the legitimate WINRAR site and places links on a counterfeit distributor site in Europe to redirect to the fake installers. The Belgian attack uses a recommended link to the counterfeit site in the middle of the localized distribution page. The combined malicious links include the following installers of the malware:
- hxxp://www.ralrab[.]com/rar/winrar-x64-531.exe
- hxxp://www.ralrab[.]com/rar/winrar-x64-531fr.exe
- hxxp://www.ralrab[.]com/rar/winrar-x64-531nl.exe
- hxxp://www.ralrab[.]com/rar/wrar531.exe
- hxxp://www.ralrab[.]com/rar/wrar531fr.exe
- hxxp://www.ralrab[.]com/rar/wrar531nl.exe
- hxxp://ralrab[.]com/rar/winrar-x64-531.exe
- hxxp://ralrab[.]com/rar/winrar-x64-531nl.exe
- hxxp://ralrab[.]com/rar/wrar531fr.exe
- hxxp://ralrab[.]com/rar/wrar531nl.exe
- hxxp://ralrab[.]com/rar/wrar53b5.exe
The other software that is abused is TrueCrypt – the hacker collective also distributes counterfeit binaries of the free encryption program on various sites.
Over the course of several days, the malware delivered by StrongPity APT infected more than 600 systems in Europe, Africa, and the Middle East. The most affected countries in June were Italy, Belgium, Algeria, Cote D’Ivoire, Morroco, France, and Tunisia.
The malware itself is signed with unusual digital certificates. The threat downloads components that give attackers remote control access and the ability to steal the contents of the infected machines.
