Cybersecurity experts at Kaspersky have unveiled the existence of an elusive and remarkably sophisticated malware, StripedFly, which has silently affected over a million victims globally since at least 2017. Initially posing as a cryptocurrency miner, this covert threat has now been unmasked as a multifaceted, wormable malware framework.
The year 2022 marked a pivotal moment when Kaspersky’s Global Research and Analysis Team stumbled upon two unexpected anomalies linked to the WININIT.EXE process. These anomalies were triggered by code sequences previously associated with the notorious Equation malware. Remarkably, StripedFly had been operating in the shadows for years, eluding previous scrutiny as it was mistakenly categorized as a cryptocurrency miner. Upon extensive investigation, it was unveiled that the cryptocurrency mining aspect was just one piece of a much larger, intricate puzzle – a comprehensive, multi-platform, multi-plugin malicious framework.
Within its malicious payload, StripedFly deploys a multitude of modules, granting the threat actor the capability to function as an Advanced Persistent Threat (APT), a crypto miner, and even a ransomware group. This versatility potentially allows for motives to transition from financial gain to espionage. It’s worth noting that the Monero cryptocurrency mined by one of its modules reached its peak value at $542.33 on January 9, 2018, compared to its 2017 value of approximately $10. As of 2023, it has retained a value of around $150. Kaspersky’s experts emphasize that the mining module serves as the linchpin in evading detection over an extended period.
The attacker orchestrating this operation has acquired a formidable array of capabilities for covertly spying on victims. StripedFly exfiltrates sensitive data, including site and Wi-Fi login credentials, along with personal information like names, addresses, phone numbers, company affiliations, and job titles, all at two-hour intervals. Moreover, this malware can surreptitiously capture screenshots on the victim’s device without raising suspicion, exert substantial control over the compromised machine, and even record microphone input.
The initial infection vector remained a mystery until Kaspersky’s in-depth investigation revealed the deployment of a custom-made EternalBlue ‘SMBv1′ exploit to infiltrate victims’ systems. Despite the public disclosure of the EternalBlue vulnerability in 2017 and Microsoft’s subsequent release of a patch (identified as MS17-010), the threat persists due to many users failing to update their systems.
During the technical analysis of this campaign, Kaspersky experts noted striking similarities with the Equation malware, encompassing technical indicators such as signatures linked to the Equation malware and coding practices reminiscent of the StraitBizzare (SBZ) malware. Based on download statistics from the repository where the malware is hosted, the estimated number of StripedFly victims worldwide has exceeded one million.
This discovery underscores the evolving and pervasive nature of cyber threats and highlights the crucial importance of proactive cybersecurity measures to safeguard against such complex and insidious malware.