Renowned global cybersecurity and digital privacy company, Kaspersky, has unveiled an advanced malware that has compromised over a million users since 2017.
Named “StripedFly,” this malware initially posed as a cryptocurrency miner. However, subsequent investigations revealed it to be an intricate, wormable framework. As per a recent Kaspersky report, StripedFly has been infiltrating both Windows and Linux systems for half a decade.
This malware boasts a built-in TOR network passage for liaising with command servers. Additionally, it possesses the capability for updates and integration using reputable platforms like GitLab, GitHub, and Bitbucket, all while employing uniquely encrypted archives.
Upon detecting this malevolent framework last year, Kaspersky’s team emphasized that the craftsmanship and effort poured into its creation were “exceptionally noteworthy.”
In 2022, our research stumbled upon unexpected detections within the WININIT.EXE process of a legacy code, previously identified in the Equation malware,” stated the investigators. “Further scrutiny led us to prior instances of this questionable code from as far back as 2017.”
Initially misidentified as a mere Monero cryptocurrency miner, the true intentions behind this malware—whether for profit generation or cyber espionage—remain ambiguous. Analysts have pointed out that its guise as a mining module was pivotal in allowing the malware to remain undetected for such an extended duration.
The report elaborates on the sophisticated abilities the perpetrator possesses to surveil its victims. The malware is designed to “harvest a plethora of confidential data from every active user.”
Specifically, it can pilfer website login credentials, auto-filled personal data like names, addresses, contact numbers, employers, and job designations. Additionally, the malware has the capability to record known Wi-Fi networks and their corresponding passwords, as the study highlighted.
Similar to EternalBlue
While the exact source of StripedFly is still shrouded in mystery, in-depth probes have shown that the malware leverages tactics resembling those of the EternalBlue ‘SMBv1’ exploit to penetrate systems.
EternalBlue made headlines when it was exposed in April 2017 and remains a menace to unprotected Windows servers even today. Notably, this notorious exploit was developed and utilized by the NSA-affiliated hacking entity, the Equation Group.
Kaspersky has revealed that traces of StripedFly were first identified in April 2016, which predates the discovery of EternalBlue by a year. Microsoft rolled out a patch to counter the EternalBlue vulnerability in early 2017.
Given its inception date, StripedFly has remarkably served its purpose, eluding detection for an extended period. While numerous prominent and intricate malware have come under the microscope, StripedFly distinguishes itself, meriting special attention and acknowledgment.