Some versions of WinRAR file compression tool and Winbox software for managing MikroTik users have been tampered with to install malware serving an advanced threat actor. This campaign may have started in the second half of 2018 and continues today.

The operation has been attributed with high confidence to StrongPity, an APT-level adversary that specializes in watering hole attacks for cyber-espionage purposes.

StrongPity came to attention in 2016 when it launched websites to distribute trojanized versions of WinRAR and TrueCrypt, researchers at Kaspersky found.

The group, also known as Promethium, has been active longer than that, though, since at least 2012, and used zero-day vulnerabilities in spearphishing attacks.

Normal behavior in trojanized software

Researchers at AT&T Alien Labs found earlier this month new malware samples they attribute to StrongPity. It installed from a trojanized but fully functional copy of Winbox (sample analysis) for Window systems.

Victims would not notice anything out of order with the software piece as it looked and worked the same way as the legitimate variant.

"The new malware samples have been unreported and generally appear to have been created and deployed to targets following a toolset rebuild in response to the above public reporting during the fourth quarter of 2018." - AT&T Alien Labs.

Newer versions of the popular file archiving utility WinRAR (sample analysis) and Internet Download Manager (sample analysis) - used for controlling and scheduling download tasks, are also used to install spyware from StrongPity.

The malware dropped this way is looking for documents and communicates with the command and control server over an SSL connection. It also provides remote access functionality, the researchers say in a report published today.

Other software used in the past include CCleaner, Driver Booster, Opera Browser, Skype, and VLC Media Player. A report from Citizen Lab says that Avast Antivirus and 7-Zip were also  tampered.

It appears that the threat actor still relies on old infrastructure as a beacon destination used in previous campaigns and revealed in previous public reports is still in use for this campaign.

"Reviewing the compilation timestamps of the identified malware, various clusters of individual campaign start times can be noticed, stretching back into the previous reports of early 2018" - AT&T Alien Labs

It is assumed that the group uses the same tactics seen in the past to deliver its malware. In December 2017, ESET reported on a StrongPity campaign that may have involved an Internet Service Provider.

When targeted victims tried to download software that StrongPity had already trojanized, they would be redirected to the malicious version.

Related Articles:

ScreenConnect flaws exploited to drop new ToddlerShark malware

Exploit available for new critical TeamCity auth bypass bug, patch now

OpenAI blocks state-sponsored hackers from using ChatGPT

Turla hackers backdoor NGOs with new TinyTurla-NG malware