October 26, 2023 at 10:56AM
StripedFly is a sophisticated cross-platform malware that infected over a million Windows and Linux systems for five years. Kaspersky discovered it in 2022 and found evidence of its activity since 2017. The malware features TOR-based traffic concealing mechanisms, automated updating, worm-like spreading, and an exploit created before it was publicly disclosed. It’s unclear if it was used for revenue generation or cyber espionage, but Kaspersky identifies it as an advanced persistent threat. The malware has multiple modules, including a Monero crypto miner, and is associated with the ransomware variant ThunderCrypt.
Key Takeaways from the Meeting Notes:
1. The StripedFly malware platform has been infecting over a million Windows and Linux systems for the past five years, with its true nature only recently discovered by Kaspersky.
2. StripedFly is a highly sophisticated malware, employing TOR-based traffic concealing mechanisms, automated updating, worm-like spreading capabilities, and an EternalBlue SMBv1 exploit.
3. It is uncertain if the malware was used for revenue generation or cyber espionage, but its sophistication suggests that it is an advanced persistent threat (APT) malware.
4. The initial breach of infected devices likely occurred through a custom EternalBlue SMBv1 exploit targeting internet-exposed computers.
5. The malware’s command and control (C2) server is on the TOR network, and communication involves frequent beacon messages containing unique victim IDs.
6. StripedFly achieves persistence on Windows systems by modifying files and utilizing PowerShell, while on Linux it uses systemd services and various profile and startup files.
7. The Bitbucket repository delivering the final stage payload on Windows systems indicates around 60,000 system infections between April and September 2023. Overall, it is estimated that over 1 million devices have been infected.
8. The malware operates as a monolithic binary executable with multiple modules, including configuration storage, upgrade/uninstall, reverse proxy, command handler, credential harvester, repeatable tasks, recon module, SSH infector, SMBv1 infector, and Monero mining module.
9. The Monero mining module is considered a diversion attempt, with the main objectives of the threat actors being data theft and system exploitation.
10. Links to the ransomware variant, ThunderCrypt, were found, indicating a connection to the same C2 server.
11. The presence of the Monero mining module has allowed the malware to evade detection for an extended period.
12. The “repeatable tasks module” suggests that some of the attackers may be interested in generating revenue from certain victims.