StripedFly malware framework infects 1 million Windows, Linux hosts

A blase cross-platform malware level named StripedFly flew nether nan radar of cybersecurity researchers for 5 years, infecting complete a cardinal Windows and Linux systems during that time.

Kaspersky discovered nan existent quality of nan malicious model past year, uncovering grounds of its activity starting successful 2017, pinch nan malware wrongly classified arsenic conscionable a Monero cryptocurrency miner.

The analysts picture StripedFly arsenic thing short of impressive, featuring blase TOR-based postulation concealing mechanisms, automated updating from trusted platforms, worm-like spreading capabilities, and a custom EternalBlue SMBv1 utilization created earlier nan nationalist disclosure of nan flaw.

While it's unclear if this malware model was utilized for gross procreation aliases cyber espionage, Kaspersky says its sophistication indicates that this is an APT (advanced persistent threat) malware.

Based connected nan compiler timestamp for nan malware, nan earliest known type of StripedFly featuring an EternalBlue utilization dates April 2016, while the public leak by nan Shadow Brokers group occurred successful August 2016.

StripedFly successful complete a cardinal systems

The StripedFly malware model was first discovered aft Kaspersky recovered nan platform's shellcode injected successful nan WININIT.EXE process, a morganatic Windows OS process that handles nan initialization of various subsystems.

After investigating nan injected code, they wished it downloads and executes further files, specified arsenic PowerShell scripts, from morganatic hosting services for illustration Bitbucket, GitHub, and GitLab, including PowerShell scripts.

Further investigation showed that infected devices were apt first breached utilizing a civilization EternalBlue SMBv1 utilization that targeted internet-exposed computers.

The last StripedFly payload (system.img) features a civilization lightweight TOR web customer to protect its web communications from interception, nan expertise to disable nan SMBv1 protocol, and dispersed to different Windows and Linux devices connected nan web utilizing SSH and EternalBlue.

The malware's bid and power (C2) server is connected nan TOR network, and connection pinch it involves predominant beacon messages containing nan victim's unsocial ID.

StripedFly's infection chain (Kaspersky)

For persistence connected Windows systems, StripedFly adjusts its behaviour based connected nan level of privileges it runs connected and nan beingness of PowerShell.

Without PowerShell, it generates a hidden record successful nan %APPDATA% directory. In cases wherever PowerShell is available, it executes scripts for creating scheduled tasks aliases modifying Windows Registry keys.

On Linux, nan malware assumes nan sanction 'sd-pam'. It achieves persistence utilizing systemd services, an autostarting .desktop file, aliases by modifying various floor plan and startup files, specified as  /etc/rc*, profile, bashrc, or inittab files.

The Bitbucket repository delivering nan last shape payload connected Windows systems indicates that betwixt April 2023 and September 2023, location person been astir 60,000 strategy infections.

It is estimated that StripedFly has infected astatine slightest 220,000 Windows systems since February 2022, but stats from earlier that day are unavailable, and nan repository was created successful 2018.

Payload download count since April 2023 (Kaspersky)

However, Kaspersky estimates that complete 1 cardinal devices were infected by nan StripedFly framework.

Malware modules

The malware operates arsenic a monolithic binary executable pinch pluggable modules, giving it an operational versatility often associated pinch APT operations.

Here's a summary of StripedFly's modules from Kaspersky's report:

• Configuration storage: Stores encrypted malware configuration.
• Upgrade/Uninstall: Manages updates aliases removal based connected C2 server commands.
• Reverse proxy: Allows distant actions connected nan victim's network.
• Miscellaneous bid handler: Executes varied commands for illustration screenshot seizure and shellcode execution.
• Credential harvester: Scans and collects delicate personification information for illustration passwords and usernames.
• Repeatable tasks: Carries retired circumstantial tasks nether definite conditions, specified arsenic microphone recording.
• Recon module: Sends elaborate strategy accusation to nan C2 server.
• SSH infector: Uses harvested SSH credentials to penetrate different systems.
• SMBv1 infector: Worms into different Windows systems utilizing a civilization EternalBlue exploit.
• Monero mining module: Mines Monero while camouflaged arsenic a "chrome.exe" process.

The beingness of nan Monero crypto miner is considered a diversion attempt, pinch nan superior objectives of nan threat actors being information theft and strategy exploitation facilitated by nan different modules.

"The malware payload encompasses aggregate modules, enabling nan character to execute arsenic an APT, arsenic a crypto miner, and moreover arsenic a ransomware group," sounds Kaspersky's report.

"Notably, nan Monero cryptocurrency mined by this module reached its highest worth astatine $542.33 connected January 9, 2018, compared to its 2017 worth of astir $10. As of 2023, it has maintained a worth of astir $150."

"Kaspersky experts stress that nan mining module is nan superior facet enabling nan malware to evade discovery for an extended period."

The researchers besides identified links to nan ransomware version ThunderCrypt, which utilizes nan aforesaid C2 server astatine "ghtyqipha6mcwxiz[.]onion:1111." 

The 'repeatable tasks module' besides suggests that nan unidentified attackers could beryllium willing successful gross procreation for immoderate victims.