The rapid evolution of malware and cyber threats is a growing concern for businesses across the globe. A recent discovery by Kaspersky has unveiled a sophisticated cross-platform malware framework called StripedFly. This malware successfully remained undetected for five years, infecting over a million Windows and Linux systems.
Malware Overview:
- Origins: StripedFly’s activity traces back to 2017. Initially, it was misclassified as a mere Monero cryptocurrency miner. However, its capabilities far exceed simple cryptocurrency mining.
- Attributes: The malware is recognized for its advanced TOR-based traffic concealing mechanisms, automatic updates from trusted platforms, and its ability to spread like a worm. Notably, it features a custom EternalBlue SMBv1 exploit. The level of sophistication suggests it’s an APT (advanced persistent threat) malware.
- Discovery: Kaspersky’s researchers identified StripedFly by detecting its shellcode in the WININIT.EXE process of the Windows OS. Upon deeper investigation, they uncovered its complex mechanisms of downloading and executing files, including PowerShell scripts, from legitimate hosting services like Bitbucket, GitHub, and GitLab.
- Spread Mechanism: Infected devices were likely compromised using a custom EternalBlue SMBv1 exploit targeting exposed computers. The malware uses a custom lightweight TOR network client for encrypted communications, can disable the SMBv1 protocol, and spreads to other Windows and Linux devices using SSH and EternalBlue.
- Persistence: For persistence on Windows, StripedFly varies its behavior based on privilege levels and the presence of PowerShell. On Linux, it disguises itself as ‘sd-pam’ and achieves persistence using various methods.
Modules and Operations:
StripedFly operates with a versatile set of modules, some of which include:
- Configuration Storage: For encrypted malware configuration storage.
- Upgrade/Uninstall: Manages malware updates or removal.
- Credential Harvester: Collects sensitive user data, including passwords and usernames.
- Recon Module: Sends detailed system information to the C2 server.
- Monero Mining Module: Mines Monero, disguised as a “chrome.exe” process.
These modules allow StripedFly to act as an APT, crypto miner, and potentially even a ransomware group. The presence of a Monero crypto miner, which has seen fluctuating values over the years, is believed to be a diversion tactic. The main objective of the threat actors is likely data theft and system exploitation.
Protecting Your Business:
Understanding the intricacies of such advanced threats is paramount for businesses aiming to safeguard their digital assets. With threats like StripedFly lurking in the digital realm, it’s crucial to have a robust information security management system in place. Additionally, adhering to standards such as ISO 27001 can further bolster your organization’s defenses against such sophisticated attacks.
This is a reminder of the stealthy threats that can go undetected for extended periods. It’s essential to invest in comprehensive security solutions and to stay updated with the latest threats. At Xiphos, we offer tailored services in information security management, risk management, and more to help businesses ensure their protection against such threats. Reach out to us today to fortify your defenses.
Source: bleepingcomputer