Utrecht, November 1 - Kaspersky experts have discovered a previously unknown, highly sophisticated StripedFly malware affecting more than a million victims worldwide since at least 2017. Initially, the malware posed as a cryptocurrency miner, but it turned out to be a complex malware with a multi-functional wormable framework.
In 2022, Kaspersky's Global Research and Analysis Team discovered two unexpected detections within the WININIT.EXE process. These were caused by code sequences previously observed in the Equation malware. This activity had been ongoing since at least 2017 and had effectively circumvented previous analyses by previously misclassifying it as a cryptocurrency miner. After an extensive investigation of the problem, it was discovered that the cryptocurrency miner was just one part of a much larger entity - a complex, multiplatform, multiplugin malicious framework.
The malware's payload consists of multiple modules, allowing the actor to act as an APT, a cryptominer and even a ransomware group. This potentially expands its motives from pure espionage to financial gain. The Monero cryptocurrency mined by this module reached a peak value of $542.33 on 9 January 2018, while it was only worth $10 in 2017. As of 2023, it has a value of around $150. Kaspersky experts stress that the mining module is the main factor allowing the malware to evade detection for a longer period of time.
The attacker behind this operation has extensive capabilities to covertly spy on victims. The malware collects login data every two hours and steals sensitive data such as login credentials for websites and WIFI, and identifies the victim's details, including their job title. Moreover, the malware can imperceptibly take screenshots on the victim's device, gain significant control over the device and even record microphone input.
The initial infection vector remained unknown until further investigation by Kaspersky revealed that a customised EternalBlue 'SMBv1' exploit was used to infiltrate victims' systems. Despite the disclosure of the EternalBlue vulnerability in 2017 and the subsequent publication of a patch by Microsoft (MS17-010), the threat remains high as many users have not updated their systems.
During technical StripedFly analysis of the campaign, Kaspersky experts saw similarities with the Equation malware. These included technical indicators such as signatures associated StripedFly with the Equation malware, as well as encryption style and practices similar to those of the StraitBizzare (SBZ) malware. Based on download counts displayed by the repository where the malware is hosted, StripedFly's estimated number of targets has reached more than one million victims around the world.
'The amount of effort that went into creating this framework is truly re StripedFlymarkable and its disclosure was astonishing. The ability of cybercriminals to adapt and evolve is a constant challenge. That is why it is so important for us as researchers to continue to focus our efforts on uncovering and disseminating advanced cyber threats, and for customers not to forget comprehensive protection against cybercrime,' said Sergey Lozhkin, Principal Security Researcher at Kaspersky's Global Research and Analysis Team (GReAT).
