Some publications of the file compression tool WinRAR and software Winbox have been tampered with and used for install malicious software. According to investigations, this spyware deployment campaign began in the second half of 2018 but is still going on. OR campaign comes from the group StrongPity, which specializes in the so-called watering hole attacks with the aim of espionage.
StrongPity, also known as Promethium, drew attention to 2016 when it used websites to distribute trojanized versions of WinRAR and TrueCrypt. However, it is active from 2012. He has used zero-day many times vulnerabilities in spear-Phishing attacks.
Her researchers AT&T Alien Labs they found a few days ago a new one malicious software. Installation was done by one a trojanized but fully functional copy of Winbox (sample analysis) for Windows systems.
There was no difference in function to suspect the victims that something was wrong.
Spyware looks for documents and communicates with the command and control server via an SSL connection. Also, according to a report by researchers, allows remote access access.
In the past, hackers have also used other popular software to install malware. Some of these are: CCleaner, Driver Booster, Opera Browser, Skype and VLC Media Player, Antivirus and 7-Zip.
Since it seems the hackers group uses methods and techniques, which has previously been used in other campaigns to distribute malware. In December of 2017, ESET had made a report on a StrongPity group campaign that concerned an Internet service provider.
StrongPity targeted some victims, and when they tried to download the software (which they considered legitimate) they were led to the malicious version.