A sophisticated cross-platform malware platform named StripedFly flew under the radar of cybersecurity researchers for five years, infecting over a million Windows and Linux systems during that time.

Kaspersky discovered the true nature of the malicious framework last year, finding evidence of its activity starting in 2017, with the malware wrongly classified as just a Monero cryptocurrency miner.

The analysts describe StripedFly as nothing short of impressive, featuring sophisticated TOR-based traffic concealing mechanisms, automated updating from trusted platforms, worm-like spreading capabilities, and a custom EternalBlue SMBv1 exploit created before the public disclosure of the flaw.

While it’s unclear if this malware framework was utilized for revenue generation or cyber espionage, Kaspersky says its sophistication indicates that this is an APT (advanced persistent threat) malware.

Based on the compiler timestamp for the malware, the earliest known version of StripedFly featuring an EternalBlue exploit dates April 2016, while the public leak by the Shadow Brokers group occurred in August 2016.

StripedFly in over a million systems

The StripedFly malware framework was first discovered after Kaspersky found the platform’s shellcode injected in the WININIT.EXE process, a legitimate Windows OS process that handles the initialization of various subsystems.

After investigating the injected code, they determined it downloads and executes additional files, such as PowerShell scripts, from legitimate hosting services like Bitbucket, GitHub, and GitLab, including PowerShell scripts.

Further investigation showed that infected devices were likely first breached using a custom EternalBlue SMBv1 exploit that targeted internet-exposed computers.

The final StripedFly payload (system.img) features a custom lightweight TOR network client to protect its network communications from interception, the ability to disable the SMBv1 protocol, and spread to other Windows and Linux devices on the network using SSH and EternalBlue.

The malware’s command and control (C2) server is on the TOR network, and communication with it involves frequent beacon messages containing the victim’s unique ID.

StripedFly's infection chain
StripedFly’s infection chain (Kaspersky)

For persistence on Windows systems, StripedFly adjusts its behavior based on the level of privileges it runs on and the presence of PowerShell.

Without PowerShell, it generates a hidden file in the %APPDATA% directory. In cases where PowerShell is available, it executes scripts for creating scheduled tasks or modifying Windows Registry keys.

On Linux, the malware assumes the name ‘sd-pam‘. It achieves persistence using systemd services, an autostarting .desktop file, or by modifying various profile and startup files, such as  /etc/rc*profile, bashrc, or inittab files.

The Bitbucket repository delivering the final stage payload on Windows systems indicates that between April 2023 and September 2023, there have been nearly 60,000 system infections.

It is estimated that StripedFly has infected at least 220,000 Windows systems since February 2022, but stats from before that date are unavailable, and the repository was created in 2018.

Payload download count since April 2023
Payload download count since April 2023 (Kaspersky)

However, Kaspersky estimates that over 1 million devices were infected by the StripedFly framework.

Malware modules

The malware operates as a monolithic binary executable with pluggable modules, giving it an operational versatility often associated with APT operations.

Here’s a summary of StripedFly’s modules from Kaspersky’s report:

  • Configuration storage: Stores encrypted malware configuration.
  • Upgrade/Uninstall: Manages updates or removal based on C2 server commands.
  • Reverse proxy: Allows remote actions on the victim’s network.
  • Miscellaneous command handler: Executes varied commands like screenshot capture and shellcode execution.
  • Credential harvester: Scans and collects sensitive user data like passwords and usernames.
  • Repeatable tasks: Carries out specific tasks under certain conditions, such as microphone recording.
  • Recon module: Sends detailed system information to the C2 server.
  • SSH infector: Uses harvested SSH credentials to penetrate other systems.
  • SMBv1 infector: Worms into other Windows systems using a custom EternalBlue exploit.
  • Monero mining module: Mines Monero while camouflaged as a “chrome.exe” process.

The presence of the Monero crypto miner is considered a diversion attempt, with the primary objectives of the threat actors being data theft and system exploitation facilitated by the other modules.

“The malware payload encompasses multiple modules, enabling the actor to perform as an APT, as a crypto miner, and even as a ransomware group,” reads Kaspersky’s report.

“Notably, the Monero cryptocurrency mined by this module reached its peak value at $542.33 on January 9, 2018, compared to its 2017 value of around $10. As of 2023, it has maintained a value of approximately $150.”

“Kaspersky experts emphasize that the mining module is the primary factor enabling the malware to evade detection for an extended period.”

The researchers also identified links to the ransomware variant ThunderCrypt, which utilizes the same C2 server at “ghtyqipha6mcwxiz[.]onion:1111.”