A highly sophisticated piece of malware posing as a cryptocurrency miner has stayed hidden for five years, infecting more than one million devices, cybersecurity investigators warn. Named StripedFly, the threat contains code sequences previously observed in the malware used by the threat actor known as the Equation Group, known for APT malware and attacks, which has been linked to the US National Security Agency.
Designed as a modular framework, StripedFly can target both Windows and Linux and comes with a built-in Tor network tunnel it uses for communication with the command-and-control (C&C) server. It also has update and delivery mechanisms that rely on trusted services, including Bitbucket, GitLab, and GitHub. This approach is not common among APT and crime-ware developers, and this example shows the sophistication of this malware against many other actors.[1] It is functionally complex.
StripedFly was initially detected in 2017, when it was misclassified as a cryptocurrency miner, despite its custom EternalBlue SMBv1 exploit that allowed it to spread quietly, avoiding detection by most security solutions. Based on the presence of PowerShell and its privileges on the system, the malware achieves persistence by modifying Windows registry or by creating scheduler tasks. Various persistence methods are used on Linux as well.
Malware components that can be offloaded are hosted as encrypted binaries on online services. While the download counts on those repositories only reflect the down loads for the latest version, researchers have determined that over one million updates have been downloaded since 2017.
StripedFly’s modules provide either service or extended functionality and are responsible for storing the malware’s configuration, upgrade and uninstall operations, creating a reverse proxy, harvesting credentials and files, taking screenshots, executing processes, recording microphone input, performing reconnaissance, spreading the malware, and mining for Monero. An analysis of the malware also revealed multiple similarities with the ThunderCrypt ransomware, such as the presence of a Tor client and multiple modules with the same functionality as StripedFly’s.
Researchers have found similarities between StripedFly and the Equation malware, although it has identified “no direct evidence that they are related.” The purpose of StripedFly remains unclear. What is clear is that it has all the capabilities of an advanced persistent threat, combined with those of ransomware, and that it can be used both for financial gain and espionage.
This article is presented at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5993554863383553632
[1] https://www.securityweek.com/advanced-stripedfly-malware-with-1-million-infections-shows-similarities-to-nsa-malware/
Comments