November 4, 2023 at 12:30PM
StripedFly, an advanced strain of malware posing as a cryptocurrency miner, has infected over a million devices globally for the past five years. It utilizes an intricate modular framework supporting both Linux and Windows and employs the EternalBlue SMBv1 exploit to infiltrate systems. The malware incorporates a variety of features, including data harvesting and remote actions. It also downloads a Monero cryptocurrency miner to camouflage its activities. The origins of StripedFly remain unknown, but its sophistication suggests an advanced persistent threat actor.
Key takeaways from the meeting notes:
– A strain of advanced malware called StripedFly has been circulating for over five years, infecting at least one million devices worldwide. It is a modular framework that supports both Linux and Windows.
– StripedFly uses a custom EternalBlue SMBv1 exploit to infiltrate publicly-accessible systems.
– The malware can download binary files from a remote Bitbucket repository and execute PowerShell scripts.
– It has various features to harvest sensitive data and can even uninstall itself.
– The malware is injected into the wininit.exe process and achieves persistence by modifying the Windows Registry or creating task scheduler entries. On Linux, it achieves persistence through various methods.
– StripedFly has spy modules that gather credentials, capture screenshots, record microphone input, and execute remote actions.
– It spreads to other machines using both SMB and SSH, using harvested keys.
– A Monero cryptocurrency miner is downloaded alongside the malware to serve as a decoy, preventing security software from detecting its full capabilities.
– Malware components are hosted as encrypted binaries on code repository hosting services like Bitbucket, GitHub, or GitLab.
– Communication with the command-and-control server takes place using a custom TOR client.
– There are similarities between StripedFly and ThunderCrypt ransomware, indicating possible connections.
– The origins of StripedFly remain unknown, but it exhibits characteristics of an advanced persistent threat (APT) actor.
– There is evidence of similarities between StripedFly and malware associated with the Equation Group, as well as possible links to Chinese hacking groups.
– The true purpose of StripedFly remains unknown, and it is unclear why the authors would choose ransomware like ThunderCrypt instead of a potentially more lucrative path.