At least 1 million affected by highly sophisticated malware StripedFly

It initially acted as a cryptocurrency miner, but turned out to be a complex malware with a multi-functional wormable framework, according to Kaspersky, a company with expertise in cybersecurity and digital privacy.

Kaspersky's global research and analysis team encountered two unexpected detections within the WININIT.EXE process in 2022.

StripedFly activity had been ongoing since at least 2017 and had effectively evaded prior analysis. It was previously misclassified as a cryptocurrency miner. It was discovered that the cryptocurrency miner was merely a component of a much larger entity – a complex, multi-platform, multi-plugin malicious framework.

The malware payload encompasses multiple modules, enabling the actor to perform as an APT, as a crypto miner, and even as a ransomware group, potentially expanding its motives from financial gain to espionage.

Notably, the Monero cryptocurrency mined by this module reached its peak value at $542.33 on January 9, 2018, compared to its 2017 value of around $10. As of 2023, it has maintained a value of approximately $150.

Experts maintained that the mining module was the primary factor enabling the malware to evade detection for an extended period.

The attacker behind this operation has acquired extensive capabilities to spy clandestinely on victims. The malware harvests credentials every two hours, pilfering sensitive data such as site and WiFi log-in credentials, along with personal data such as name, address, phone number, company, and job title. It can capture screenshots on the victim's device without detection, gain significant control over the machine, and even record microphone input.

Using EternalBlue

Further investigation revealed the use of a custom-made EternalBlue 'SMBv1' exploit to infiltrate the victim’s systems. Despite the public disclosure of the EternalBlue vulnerability in 2017, and Microsoft's subsequent release of a patch (designated as MS17-010), the threat it presents remains significant due to many users not having updated their systems, according to Kaspersky.

During the technical analysis of the campaign, Kaspersky experts observed similarities to the Equation malware. These include technical indicators such as signatures associated with the Equation malware, as well as coding style and practices resembling those seen in the StraitBizzare (SBZ) malware. Based on download counters displayed by the repository where the malware is hosted, the estimated number of StripedFly targets reached over 1 million victims all around the globe.

“The amount of effort invested in creating this framework is truly remarkable, and its unveiling was quite astonishing. Threat actors’ ability to adapt and evolve is a constant challenge, which is why it’s so important for us as researchers to continue to dedicate our efforts into uncovering and disseminating sophisticated cyberthreats, and for customers not to forget about comprehensive protection,” said Sergey Lozhkin, principal security researcher at Kaspersky.

Safeguard yourself

In order to avoid falling victim to a targeted attack by a known or unknown threat actor, researchers recommend implementing the following measures:

• Update your operating system, applications, and antivirus software regularly to patch any known vulnerabilities.
• Be cautious of emails, messages, or calls asking for sensitive information. Verify the sender’s identity before sharing any personal details or clicking on suspicious links.
• Provide your security operations centre team with access to the latest threat intelligence.
• Always upskill your cybersecurity team to tackle the latest targeted threats.
• Implement Endpoint Detection and Response solutions for endpoint-level detection, investigation, and timely remediation of incidents.