
StrongPity: Advanced Persistent Threat - nerdy
http://usa.kaspersky.com/about-us/press-center/press-releases/2016/Kaspersky_Lab_Reveals_Advanced_Persistent_Threat_StrongPity
======
snuxoll
Still missing details on how this qualifies as an APT, this seems nothing more
than a basic trojan horse unless Kaspersky is for whatever reason neglecting
to talk about whatever persistence mechanisms it has in place beyond the
basics (startup entry of some form).

Malware explicitly targeting crypto software is scary regardless, however.

~~~
jcrawfordor
The "persistent" in APT refers to the threat actor, not the tools themselves.
So this is an APT because the threat actor has shown persistence by e.g. using
multiple SWCs over a period of time and evolving their techniques. The
individual tools used by the threat actor may not persist and in fact often
don't, as APTs are much more likely to cover their tracks since they have a
longer-term vision.

~~~
nerdy
Not to mention they can reinfect via download and the malware scans the
system[1] for:

\- putty.exe

\- filezilla.exe

\- winscp.exe

\- mstsc.exe

\- mRemoteNG.exe

The malware also has the capabilities to fetch new instructions, so there's no
telling what happens when any particular software is detected.

[1] [https://securelist.com/blog/research/76147/on-the-
strongpity...](https://securelist.com/blog/research/76147/on-the-strongpity-
waterhole-attacks-targeting-italian-and-belgian-encryption-users) (linked in
the first line of this thread's article)

------
poorman
Seems like there could be a use for a distributed service that automatically
checks the signature of common downloaded executables --especially for in
Microsoft world. It's not enough for vendors to simply put the signature on
their website.

~~~
arkem
This exists, it's not 100% effective because it's generally implemented as a
UI flow change where less trusted binaries get scarier "are you sure?" popups
and only the most obviously malicious files are blocked.

Edge has Microsoft SmartScreen[1], Chrome has CAMP[2] / Safe Browsing and
Firefox has a system that also uses Google's data[3].

[1] [https://technet.microsoft.com/en-us/itpro/microsoft-
edge/sec...](https://technet.microsoft.com/en-us/itpro/microsoft-
edge/security-enhancements-microsoft-edge)

[2] [https://www.cs.jhu.edu/~moheeb/aburajab-
ndss-13.pdf](https://www.cs.jhu.edu/~moheeb/aburajab-ndss-13.pdf)

[3]
[https://wiki.mozilla.org/Security/Features/Application_Reput...](https://wiki.mozilla.org/Security/Features/Application_Reputation_Design_Doc)

Edit: I missed that part where you were meant pro actively check against
publisher provided signatures. The above systems do that only via looking at
the code's embedded signature and indirectly via "wisdom of the crowds" style
reputation.

------
yupyupp
Since the article mentions nothing about veracrypt I assume veracrypt
downloads/mirrors for windows users were unaffected. Does anyone know if this
is true?

------
hbeaver
Personally the only site I'll trust downloads of Truecrypt is GRC (Gibson
Research Corporation) in US:
[https://www.grc.com/misc/truecrypt/truecrypt.htm](https://www.grc.com/misc/truecrypt/truecrypt.htm)

~~~
baldfat
It was on the Win-Rar site through this [http://www.win-
rar.com/173.html?&L=0](http://www.win-rar.com/173.html?&L=0)

------
decentraldude
Ah, just realized that I haven't heard from antivirus people for a while.

