StripedFly Malware Framework Infects 1 Million Windows, Linux Hosts

Cyber Security Threat Summary:
A sophisticated cross-platform malware platform named StripedFly flew under the radar of cybersecurity researchers for five years, infecting over a million Windows and Linux systems during that time. Kaspersky discovered the true nature of the malicious framework last year, finding evidence of its activity starting in 2017, with the malware wrongly classified as just a Monero cryptocurrency miner” (Bleeping Computer, 2023).

While initially thought to be a Monero miner, StripedFly has TOR-based traffic concealing mechanisms, automatic updates from trusted platforms, worm-like spreading capabilities, and a custom EternalBlue SMBv1 exploit, which was created before the public disclosure of the flaw. Kaspersky says it’s still unclear if the framework is used to generate revenue, or to carry out cyber espionage. The frameworks sophistication likely indicates it’s development is likely linked to an advanced persistent threat (APT) group.

The earliest sample of StripedFly with the EternalBlue exploit goes back to April of 2016. The malware injects shellcode into the WININIT[.]exe process, which is a legitimate Windows OS process that handles the initialization of various subsystems. After injecting this shellcode, Kaspersky found the malware can also download and execute additional files from legitimate hosting services like Bitbucket, GitHub and GitLab.

“The final StripedFly payload (system[.]img) features a custom lightweight TOR network client to protect its network communications from interception, the ability to disable the SMBv1 protocol, and spread to other Windows and Linux devices on the network using SSH and EternalBlue” (Bleeping Computer, 2023).

The Bitbucket repository delivering the final stage payload on Windows systems indicates that between April 2023 and September 2023, there have been nearly 60,000 system infections. It is estimated that StripedFly has infected at least 220,000 Windows systems since February 2022, but stats from before that date are unavailable, and the repository was created in 2018. In total, Kaspersky estimates roughly 1 million devices have been infected with the StripedFly framework.

Security Officer Comments:
The malware is a binary executable that can be equipped with pluggable modules, which gives the operator versatility through custom functionality.

Here's a summary of StripedFly's modules from Kaspersky's report:

  • Configuration storage: Stores encrypted malware configuration.
  • Upgrade/Uninstall: Manages updates or removal based on C2 server commands.
  • Reverse proxy: Allows remote actions on the victim's network.
  • Miscellaneous command handler: Executes varied commands like screenshot capture and shellcode execution.
  • Credential harvester: Scans and collects sensitive user data like passwords and usernames.
  • Repeatable tasks: Carries out specific tasks under certain conditions, such as microphone recording.
  • Recon module: Sends detailed system information to the C2 server.
  • SSH infector: Uses harvested SSH credentials to penetrate other systems.
  • SMBv1 infector: Worms into other Windows systems using a custom EternalBlue exploit.
  • Monero mining module: Mines Monero while camouflaged as a "chrome.exe" process.
Kaspersky believes the Monero crypto miner capability to be a red herring, diverting attention away from the malware’s primary objectives which are data theft and system exploitation. The many pluggable modules allow the operator to perform cyber espionage activities, data theft, crypto mining, or even for ransomware payload deployments.