October 26, 2023 at 09:31AM
Researchers at Kaspersky have discovered that a malware called StripedFly, initially thought to be a basic cryptominer, is actually a sophisticated spy platform infecting over 1 million victims. The malware allows attackers to gain control over networks, exfiltrate data, and mine cryptocurrency. It includes a Tor network tunnel and uses trusted services like GitLab, GitHub, and Bitbucket for communication. The true motive of the malware’s creators remains unclear.
The meeting notes discuss the discovery of a malware called StripedFly, which was initially classified as a cryptominer but is actually a sophisticated spy platform for Windows and Linux systems. It has already infected over 1 million victims. Researchers from Kaspersky found that StripedFly allows attackers to achieve persistence on networks, gain comprehensive visibility into activities, and exfiltrate credentials and other data. The malware includes a Tor network tunnel, uses trusted services for update and delivery functionality, and has evaded detection for six years.
The core structure of StripedFly is a monolithic binary executable code with pluggable modules for extending or updating its functionality. It enters networks as a PowerShell using a custom version of the EternalBlue SMB exploit. The malware has various methods for persistence and privilege escalation. It consists of three service modules and six functionality modules that provide capabilities such as cryptomining, command handling, credential harvesting, reconnaissance, and infectors for penetration and worming.
Researchers also discovered a related ransomware variant called ThunderCrypt, which shares the same codebase and communicates with the same Command-and-Control (C2) server as StripedFly. The motive of the perpetrators behind StripedFly is still unclear, especially considering the existence of the ransomware component.
There are still many unanswered questions about StripedFly, including its current activity status. The researchers observed minimal updates in the Bitbucket repository, suggesting either minimal active infections or ongoing communication between the malware and its victims.
The researchers emphasized that the true purpose of such a sophisticated malware remains unknown, considering the evidence contrary to a trivial purpose.