StrongPity tampers with WinRAR, Internet Download Manager, spreads malicious spyware

According to Tom Hegel a cyber security researcher at Alien Labs, which is a part of AT&T Cybersecurity platform, some versions of WinRAR file compression tool, Internet Download Manager (IDM) and Winbox software for managing MikroTik users have been modified to install malware. As per the reports, the attack started in the second half of 2018 and continues as of today.

The operation has been accredited with a high level of confidence to StrongPity, an APT-level adversary that specializes in watering hole attacks for cyber-espionage purposes.

StrongPity came into limelight in the year 2016 when it introduced websites to distribute trojanized versions of WinRAR and TrueCrypt. However, researchers at Kaspersky predict that the group has been active longer than that – at least since the year 2012 and utilized zero-day vulnerabilities in spear-phishing attacks. They are also known as the Promethium group.

A few weeks ago, researchers at AT&T Alien Labs also came across new malware samples that attribute to StrongPity. They install from a Trojan-enabled but fully functional copy of Winbox for Window systems.


However, innocent victims are usually unaware of the situation as the software resembles and functions the same way as the legitimate product. The AT&T Alien Labs report that the new malware samples are unreported and appear to be created and deployed to targets after a rebuilt in response to the above public reporting conducted during the fourth quarter of 2018.

The newer versions of WinRAR and Internet Download Manager are also used to install spyware from StrongPity. The researchers also claim that the malware looks for documents and communicates with the command and control server over an SSL connection. It is also capable of providing remote functionality.

Recently, other software packages that was used in a similar manner includes CCleaner, Skype, Driver Booster, Opera Web Browser, and VLC Media Player. The recent study from the Citizen Lab also claims that Avast Antivirus and 7-Zip were also modified previously.


Here, it seems that the ‘bad actors’ are relying on old infrastructure as a beacon destination used in previous campaigns and the findings of previous public reports are still in use for this campaign. it also appears that the group utilized the same tactics in the past for their campaign. In a December 2017 report, ESET also stated that StrongPity campaigns may also involve an Internet Service Provider. through this attack, victims are redirected to malicious version when they try to download software tampered by StrongPity.

StrongPity tampers with WinRAR, Internet Download Manager, spreads malicious spyware

Read next: The best antivirus software for Windows 10 (home users)
Previous Post Next Post