Malicious versions of WinRAR, Winbox and IDM distribute StrongPity spyware

APT hacker grouping StrongPity uses malicious versions of WinRAR and Winbox to install spyware.

Malicious campaign allegedly began in the second half of 2018 and it is still going on.

Researchers from AT & T’s Alien Labs division reported about it.

With the help of the abovementioned malicious versions of programs, attackers are distributing sophisticated StrongPity spyware. StrongPity malware attracted the attention of security experts back in 2016 in the campaign to distribute fake versions of WinRAR and TrueCrypt.

“Exposure of its activity didn’t deter the group and in 2019 it has come up with new malware, which is now targeting users located in Turkey”, — report Alien Labs specialists.

At the beginning of July 2019, researchers at Alien Labs discovered a new malicious version of Winbox, which unnoticeably for the user installed the StrongPity malware on Windows systems. Among other things, experts have identified new malicious versions of the WinRAR utility and Internet Download Manager (IDM).

Read also: Microsoft eliminated three major problems with updating Windows 10 version 1903

Installed on the system, StrongPity searches for documents stored on the device and communicates with the management server via SSL. Malicious software also provides remote access to the victim’s device.

“The malicious installer downloads the StrongPity malware into the Windows Temporary directory as %temp%DDF5-CC44CDB42E5wintcsr.exe”, — report IS specialists.

In previous campaigns, attackers from StrongPity used malicious versions of CCleaner, Driver Booster, Opera Browser, Skype and VLC Media Player. Although the experts were unable to determine exactly how exactly the group distributed malicious versions of the utilities during campaign, they believe that StrongPity uses the old infrastructure and the usual methods of delivering malicious software.
Exit mobile version