StripedFly malware, which has successfully eluded detection since 2017, was discovered by researchers in 2022 and has affected about one million systems all across the globe.
Initially mistaken for a run-of-the-mill cryptocurrency miner, StripedFly was a multifaceted threat with a complex framework designed to infiltrate and persist on both Linux and Windows systems.
Researchers from Kaspersky’s Securelist published a detailed report on the malware. StripedFly’s journey from obscurity to revelation began when analysts detected unusual activity within the WINNIT.EXE process. Further investigation revealed that the malware was not just a cryptocurrency miner but rather part of a larger, more intricate entity designed to spy and infiltrate the victim’s device.
This malicious software employed a custom EternalBlue SMBv1 exploit for infiltration and had gone unnoticed for years, cleverly avoiding security solutions.
The malware propagated quietly, leveraging keys on the victim’s machine to spread within local networks. It displayed high persistence, using various methods, including leveraging PowerShell when available and hiding within random folders and even autostart files.
Bitbucket Repository: The clever concealment
One of the StripedFly features was its use of a Bitbucket repository for distribution, effectively hiding in plain sight. The malware hosted an encrypted and compressed custom binary archive that appeared as firmware binaries for mysterious ‘m100’ devices. The repository, managed by a profile named Jule Heilman, contained a README.md file and a Downloads folder, which housed five binary files.
The main payload archive used for initial Windows system infections was the system.img file. The malware’s creators consistently updated and maintained the repository, making it an effective distribution method.
Communication through TOR
StripedFly operated within the TOR network, concealing its command and control (C2) server behind the .onion address gpiekd65jgshwp2p53igifv43aug2adacdebmuuri34hduvijr5pfjad[.]onion:1111. To communicate with the C2 server, the malware used a custom, lightweight TOR client.
Unlike standard TOR implementation, it omitted routing and directory listing features, reflecting the malware’s dedication to keeping its C2 server hidden.
Modular structure
StripedFly’s payload was structured as a monolithic binary executable code designed to support pluggable modules, a characteristic common among advanced persistent threat (APT) malware.
These modules were divided into service and extended functionality modules, offering various capabilities. The former included configuration storage, upgrade/uninstall, and reverse proxy, while the latter included modules for miscellaneous command handling, credential harvesting, repeatable tasks, and reconnaissance.
The SMBv1 and SSH infectors allowed the malware to spread within networks and compromise new systems.
Monero mining and ThunderCrypt connection
StripedFly’s mining module, masquerading as a Google Chrome process, mined the Monero cryptocurrency. This module added a layer of stealth, contributing to the malware’s longevity.
However, the researchers found that the Monero mining module seemed more like a disguise than a primary motive for the malware’s existence. It hinted at the potential for more lucrative activities, such as hunting for unencrypted wallets or wallet credentials.
During the analysis, researchers also stumbled upon ThunderCrypt, a related ransomware variant that shared the same codebase and communicated with the same C2 server. ThunderCrypt had similar functionality and modules to StripedFly, with the notable absence of the SMBv1 infection module.
The researchers are still baffled even after gaining so much information on the malware. StripedFly challenges the prevailing narratives surrounding malware, making it clear that not all sophisticated threats follow expected patterns.
“The amount of effort invested in creating this framework is remarkable, and its unveiling was astonishing. Threat actors’ ability to adapt and evolve is a constant challenge, which is why it’s so important for us as researchers to continue to dedicate our efforts to uncovering and disseminating sophisticated cyber threats and for customers not to forget about comprehensive protection,” said Sergey Lozhkin, Principal Security Researcher at Kaspersky’s Global Research and Analysis Team.
In the News: Proton Pass further secures information sharing