A sophisticated cross-platform malware platform named StripedFly flew under the radar of cybersecurity researchers for five years, infecting over a million Windows and Linux systems during that time. Kaspersky discovered the true nature of the malicious framework last year, finding evidence of its activity starting in 2017, with the malware wrongly classified as just a Monero cryptocurrency miner. The analysts describe StripedFly as nothing short of impressive, featuring sophisticated TOR-based traffic concealing mechanisms, automated updating from trusted platforms, worm-like spreading capabilities, and a custom EternalBlue SMBv1 exploit created before the public disclosure of the flaw. While it's unclear if this malware framework was utilized for revenue generation or cyber espionage, Kaspersky says its sophistication indicates that this is an APT malware. Based on the compiler timestamp for the malware, the earliest known version of StripedFly featuring an EternalBlue exploit dates April 2016, while the public leak by the Shadow Brokers group occurred in August 2016. The StripedFly malware framework was first discovered after Kaspersky found the platform's shellcode injected in the WININIT.EXE process, a legitimate Windows OS process that handles the initialization of various subsystems. After investigating the injected code, they determined it downloads and executes additional files, such as PowerShell scripts, from legitimate hosting services like Bitbucket, GitHub, and GitLab, including PowerShell scripts. The final StripedFly payload features a custom lightweight TOR network client to protect its network communications from interception, the ability to disable the SMBv1 protocol, and spread to other Windows and Linux devices on the network using SSH and EternalBlue. The malware's command and control server is on the TOR network, and communication with it involves frequent beacon messages containing the victim's unique ID. For persistence on Windows systems, StripedFly adjusts its behavior based on the level of privileges it runs on and the presence of PowerShell. In cases where PowerShell is available, it executes scripts for creating scheduled tasks or modifying Windows Registry keys. On Linux, the malware assumes the name 'sd-pam'. The Bitbucket repository delivering the final stage payload on Windows systems indicates that between April 2023 and September 2023, there have been nearly 60,000 system infections. It is estimated that StripedFly has infected at least 220,000 Windows systems since February 2022, but stats from before that date are unavailable, and the repository was created in 2018. Kaspersky estimates that over 1 million devices were infected by the StripedFly framework. The malware operates as a monolithic binary executable with pluggable modules, giving it an operational versatility often associated with APT operations. The presence of the Monero crypto miner is considered a diversion attempt, with the primary objectives of the threat actors being data theft and system exploitation facilitated by the other modules. "The malware payload encompasses multiple modules, enabling the actor to perform as an APT, as a crypto miner, and even as a ransomware group," reads Kaspersky's report. "Notably, the Monero cryptocurrency mined by this module reached its peak value at $542.33 on January 9, 2018, compared to its 2017 value of around $10. As of 2023, it has maintained a value of approximately $150.". "Kaspersky experts emphasize that the mining module is the primary factor enabling the malware to evade detection for an extended period." Bumblebee malware returns in new attacks abusing WebDAV folders.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Thu, 30 Nov 2023 23:19:27 +0000