ON THE STRONGPITY WATERING

HOLE ATTACKS 2016 Kurt Baumgartner @k_sec Principal Security Researcher Encryption Tech, Watering Holes - Watering Holes – Watering Hole - StrongPity Types of Tools previous StrongPity StrongPity Malware – watering holes Tactics GeoTargeting Poisoned Installers, Other

• TrueCrypt • Rarlab spoof • Crouching Yeti – ICS • Italy • Droppers related poisoned • WinRAR • WinRAR distributor installers • Belgium • Digital Certificates link + redirect • IM Clients • Fortune website • Turkey • Clever crypto • WinRAR distributor • SSH Clients direct hosting • Darkhotel - P2P • Algeria • Spyware distribution • File transfer • TrueCrypt spoof • Morocco • Filezilla • Winscp • RDP clients

source: klonblog.com

2 | Strong Encryption Technology Types of Tools Session/data in motion encryption Drive and file content / data at rest encryption • IM Clients

• TrueCrypt • SSH Clients

source: mideastfood.about.com • WinRAR • File transfer • Filezilla • Winscp • RDP clients

3 | Distribution methods Strong and weak • Microsoft Store and • Sourceforge (+mirrors) Microsoft Update

• Resellers and distributors • Homebrew websites

• Maybe over http

• Signed (SHA1?) or unsigned, PGP

4 | Watering Holes - previous activity

• Crouching Yeti – poisoned installers, ICS focused

https://securelist.com/files/2014/07/EB-YetiJuly2014-Public.pdf

5 | Watering Holes – StrongPity Tactics

• Ralrab.com – spoof of Rarlab.com • Redirect from redistributor site

6 | Watering Holes – hosted directly by redistributor (compromised, other?)

hxxps://www.winrar[.]it/prelievo/WinRAR-x64-531it.exe hxxps://www.winrar[.]it/prelievo/WRar531it.exe

7 | Watering Holes – TrueCrypt Spoofing

hxxp://www.true-crypt[.]com/download/TrueCrypt-Setup-7.1a.exe hxxp://true-crypt[.]com/files/TrueCrypt-7.2.exe

8 | Watering Holes – Geolocation Targeting

winrar.be/ralrab.com detections

winrar.it detections

true-crypt.com detections

9 | Watering Holes – Targeted Encryption

.exe (a windows SSH client) • .exe (supports ftps uploads) • winscp.exe (a windows secure copy application) By Eaeeae - Own work, CC BY-SA 3.0, https://commons.wikimedia.org/w/index.php?curid=30396311 • mstsc.exe (Windows Remote Desktop client) • mRemoteNG.exe (supports SSH, RDP, and other encrypted protocols) • IM Clients • keyloggers and additional data stealers

10 | THANK YOU

@k_sec

11 |