Malware thought to be a mere cryptominer was actually a sophisticated spy platform for both Windows and Linux systems; it already has infected more than 1 million victims.
StripedFly was classified and widely dismissed as a largely ineffective malware for mining crypto when it was first detected in 2017. But since then, it has actually been operating as an intricate piece of modular malware that allows attackers to achieve persistence on networks and comprehensive visibility into their activity, as well as exfiltrate credentials and other data at will, researchers from Kaspersky revealed in a blog post published Oct. 26.
While StripedFly can indeed mine Monero cryptocurrency, that’s just the tip of the iceberg for its capabilities — something the researchers discovered last year and investigated thoroughly before releasing their findings publicly.
“What we discovered was completely unexpected; the cryptocurrency miner was just one component of a much larger entity,” Kaspersky researchers Sergey Belov, Vilen Kamalov, and Sergey Lozhkin wrote in the post.
Overall, the platform appears to be “a hallmark of APT malware” that includes a built-in Tor network tunnel for communication with command-and-control (C2) servers, along with update and delivery functionality through trusted services such as GitLab, GitHub, and Bitbucket, all using custom encrypted archives, they revealed.
Moreover, StripedFly appears to have already infected more than 1 million systems based on updates the researchers obtained from a Bitbucket repository associated with the malware and created on June 21, 2018, under the account of someone using the name Julie Heilman.
The researchers said the discovery of the breadth of StripedFly is “astonishing,” especially given that it has successfully evaded detection for some six years.
Breaking Down StripedFly
The core structure of the malware is as a monolithic binary executable code that supports various pluggable modules so attackers can extend or update its functionality. Each module — which either is there to provide a service or extended functionality — is responsible for implementing and managing its own callback function for communication with a C2 server.
The platform first manifests itself on a network as a PowerShell that appears to use as its initial entry mechanism a server message block (SMB) exploit that appears to be a custom version of EternalBlue, which was leaked in April 2017 and continues to threaten unpatched Windows servers.
StripedFly uses various methods for persistence depending on the availability of the PowerShell interpreter and the privileges granted to the process. “Typically, the malware would be running with administrative privileges when installed via the exploit, and with user-level privileges when delivered via the Cygwin SSH server,” the researchers wrote.
In terms of its modules, the malware has three to perform specific services related to its functionality, and six that actually execute that functionality. The service modules are for configuration storage, upgrading and uninstalling the malware, and reverse proxy.
The functionality modules are varied and comprehensive to provide attackers with a laundry list of capabilities, allowing them to consistently spy on the activities of a victim’s network. In addition to the aforementioned Monero cryptominer, the modules are: a miscellaneous command handler; credential harvester, repeatable tasks that can take screenshots, record microphone input, and perform other tasks on a scheduled basis; a reconnaissance module that compiles extensive system information; SMBv1 and SSH infectors for penetration and worming capabilities.
The researchers also discovered a related ransomware variant called ThunderCrypt that shares the same underlying codebase and communicates with the same C2 server as StripedFly.
Unsolved Mysteries
The blog post includes numerous indicators of compromise and other websites and relevant data related to StripedFly to help organizations identify if they’ve been infected.
In the meantime, numerous questions still hover around StripedFly, including the true motive of its perpetrators — a question further muddled by the existence of a related ransomware component.
“While ThunderCrypt ransomware suggests a commercial motive for its authors, it raises the question of why they didn’t opt for the potentially more lucrative path instead,” the researchers wrote.
It’s also still unclear if StripedFly is still active, since at the time of writing, the researchers observed only eight updates for Windows systems and four for Linux systems in the Bitbucket repository. This could indicate that “either there are minimal active infections,” or that all the victims already infected by StripedFly are still actively communicating with its C2, they noted.
“Only those who crafted this enigmatic malware hold the answer,” the researchers acknowledged. “It’s difficult to accept the notion that such sophisticated and professionally designed malware would serve such a trivial purpose, given all the evidence to the contrary.”