StripedFly Malware

Cybersecurity experts have discovered an exceptionally advanced strain of malware called StripedFly, previously unknown to the infosec community. This malware has demonstrated a global impact, targeting and affecting more than one million victims since at least 2017. Initially disguised as a cryptocurrency mining tool, it has been revealed to be a complex and versatile malware featuring a multi-faceted, self-propagating framework.

StripedFly may Have Infected Over a Million Systems

The StripedFly malware framework came to light following its detection by researchers, who identified its presence in the WININIT.EXE process, a legitimate component of the Windows OS responsible for initiating various subsystems.

Upon delving into the injected code, it became evident that StripedFly initiates the download and execution of additional files, notably PowerShell scripts, from legitimate hosting platforms such as Bitbucket, GitHub, and GitLab. Further analysis revealed that the malware likely infiltrated devices through a customized exploit of the EternalBlue SMBv1 vulnerability, primarily targeting internet-exposed computers.

The final StripedFly payload, named 'system.img,' includes a proprietary lightweight TOR network client to safeguard its network communications from interception. It also possesses the capability to deactivate the SMBv1 protocol and propagate itself to other Windows and Linux devices on the network using SSH and EternalBlue. The Command-and-Control (C2, C&C) server for StripedFly operates within the TOR network, maintaining communication through frequent beacon messages containing a unique victim ID.

To establish persistence on Windows systems, StripedFly adapts its approach based on the privilege level and the presence of PowerShell. In the absence of PowerShell, it generates a concealed file in the %APPDATA% directory. When PowerShell is available, the malware executes scripts to create scheduled tasks or alter Windows Registry keys.

On Linux, StripedFly adopts the moniker 'sd-pam.' Persistence on this platform is achieved through system services, autostarting .desktop files, or by modifying various profile and startup files, including /etc/rc*, profile, bashrc, or inittab files.

Data from the Bitbucket repository responsible for delivering the final stage payload to Windows systems suggests that between April 2023 and September 2023, nearly 60,000 systems were infected by StripedFly. However, researchers estimate that the total number of devices affected by the StripedFly framework may exceed one million.

The Numerous Specialized Modules Found in the StripedFly Malware

The malware is designed as a single, self-contained binary executable with adaptable modules, providing it with operational flexibility typically associated with Advanced Persistent Threat (APT) operations:

• Configuration Storage: This module securely stores the encrypted malware configuration.
•  Upgrade/Uninstall: Responsible for managing updates or removal based on commands received from the Command-and-Control (C2) server.
•  Reverse Proxy: Enables remote actions within the victim's network.
•  Miscellaneous Command Handler: Executes various commands, including capturing screenshots and running shellcode.
•  Credential Harvester: Scans and retrieves sensitive user data like passwords and usernames.
•  Repeatable Tasks: Performs specific tasks under predefined conditions, such as recording audio from the microphone.
•  Recon Module: Sends comprehensive system information to the C2 server.
•  SSH Infector: Utilizes harvested SSH credentials to infiltrate other systems.
•  SMBv1 Infector: Propagates to other Windows systems by exploiting a custom EternalBlue vulnerability.
•  Monero Mining Module: Mines Monero cryptocurrency, disguising itself as a "chrome.exe" process.

The inclusion of the Monero cryptocurrency miner module is viewed as an attempt to divert attention, as the primary objectives of the threat actors revolve around data theft and system exploitation, facilitated by the other modules.