StripedFly: Worming Miner with Espionage-Ready Code

StripedFly-Worming-Miner-with-Espionage-Ready-Code

Kaspersky experts have uncovered a previously unknown, highly sophisticated StripedFly malware with global reach affecting over a million victims since at least 2017.

In 2022, Kaspersky’s Global Research and Analysis Team encountered two unexpected detections within the WININIT.EXE process, triggered by the code sequences earlier observed in the Equation malware. This activity had been ongoing since at least 2017 and had effectively evaded prior analysis, previously being misclassified as a cryptocurrency miner. After a comprehensive examination of the issue, it was discovered that the cryptocurrency miner was merely a component of a much larger entity – a complex, multi-platform, multi-plugin malicious framework.

The malware payload encompasses multiple modules, enabling the actor to perform as an APT, as a crypto miner, and even as a ransomware group, potentially expanding its motives from pure espionage to include financial gain. Notably, the Monero cryptocurrency mined by this module peaked at $542.33 on January 9, 2018, compared to its 2017 value of around $10. As of 2023, it has maintained a value of approximately $150. Kaspersky experts emphasise that the mining module is the primary factor enabling the malware to evade detection for an extended period.

The attacker behind this operation has acquired extensive capabilities to clandestinely spy on victims. The malware harvests credentials every two hours, pilfering sensitive data such as site and Wi-Fi login credentials and identifying the victim’s details, including their job title. Furthermore, the malware can capture screenshots on the victim’s device without detection, gain significant control over the machine, and even record microphone input.

The initial infection vector remained unknown until Kaspersky’s further investigation revealed the use of a custom-made EternalBlue ‘SMBv1’ exploit to infiltrate the victim’s systems. Despite the public disclosure of the EternalBlue vulnerability in 2017 and Microsoft’s subsequent release of a patch (MS17-010), its threat remains significant due to many users not having updated their systems.

During the technical analysis of the campaign, Kaspersky experts observed similarities to the Equation malware. These include technical indicators such as signatures associated with the Equation malware, as well as coding style and practices resembling those seen in the StraitBizzare (SBZ) malware. Based on download counters displayed by the repository where the malware is hosted, the estimated number of StripedFly targets reached over one million victims all around the globe. 

‘The amount of effort invested in creating this framework is truly remarkable, and its unveiling was quite astonishing. Cybercriminals’ ability to adapt and evolve is a constant challenge, which is why it’s so important for us as researchers to continue to dedicate our efforts to uncovering and disseminating sophisticated cyber threats and for customers not to forget about comprehensive protection from cybercrime,’ comments Sergey Lozhkin, Principal Security Researcher at Kaspersky’s Global Research and Analysis Team (GReAT).

To avoid falling victim to a targeted attack by a known or unknown threat actor, Kaspersky researchers recommend implementing the following measures:

  • Update your operating system, applications, and antivirus software regularly to patch known vulnerabilities.
  • Be cautious of emails, messages, or calls asking for sensitive information. Verify the sender’s identity before sharing any personal details or clicking on suspicious links.
  • Provide your SOC team access to the latest threat intelligence (TI). The Kaspersky Threat Intelligence Portal is a single point of access for the company’s TI, providing cyberattack data and insights gathered by Kaspersky, spanning over 20 years.
  • Upskill your cybersecurity team to tackle the latest targeted threats with Kaspersky online training developed by GReAT experts
  • For endpoint-level detection, investigation, and timely remediation of incidents, implement EDR solutions such as Kaspersky Endpoint Detection and Response.