Malicious versions of WinRAR, Winbox and IDM distribute spyware
Attackers use StrongPity malware aimed at cyber espionage.
The hacker APT grouping StrongPity uses malicious versions of WinRAR and Winbox to install spyware. The malicious campaign allegedly began in the second half of 2018 and continues to this day. This is reported by researchers from AT & T's Alien Labs division.
With the help of the aforementioned malicious versions of programs, attackers are distributing sophisticated StrongPity spyware. StrongPity malware attracted the attention of security experts back in 2016 in the campaign to distribute fake versions of WinRAR and TrueCrypt.
In early July 2019, experts from Alien Labs discovered a new malicious version of Winbox, which unnoticed by the user installed the StrongPity malware on Windows systems. Among other things, experts have identified new malicious versions of the WinRAR utility and Internet Download Manager (IDM) download manager.
Once on the StrongPity system, it searches for documents stored on the device and communicates with the management server via SSL. Malicious software also provides remote access to the victim’s device, the researchers report.
In previous campaigns, attackers from StrongPity used malicious versions of CCleaner, Driver Booster, Opera Browser, Skype and VLC Media Player. Although the experts were unable to determine exactly how the group distributed malicious versions of the utilities in this campaign, they believe that StrongPity uses the old infrastructure and the usual methods of delivering malicious software.