Cybersecurity researchers from Kaspersky have discovered an “impressive” malware threat hiding in plain sight for half a decade.
Called StripedFly, the malware’s earliest evidence of activity dates back to 2017, Kaspersky claims, where at one point it was discovered but dismissed as a “mere” cryptocurrency miner.
However, a new investigation has shown that StripedFly is capable of a lot more than just mining cryptocurrency: it can execute commands remotely, grab screenshots and execute shellcodes, steal passwords and other sensitive data, record sounds using the integrated microphone, move to adjacent endpoints using previously stolen credentials, abuse the EternalBlue exploit to worm into other systems, and lastly - mine Monero.
Mining Monero
In fact, Monero mining is now seen as a diversion attempt, to throw researchers off and prevent them from analyzing the code further.
The tactic seems to have worked, as a million devices were allegedly compromised in the meantime. The keyword here is “allegedly” because even Kaspersky can’t know for certain. The only actual data the researchers managed to obtain comes from a Bitbucket repository that delivered the final stage payload, and it shows 220,000 Windows infections since February 2022. Since the repository was created in 2018, earlier data is unavailable. But Kaspersky estimates at least a million infections, especially since StripedFly targets both Windows and Linux endpoints.
There is no word on who might be behind this goliath of a platform. Kaspersky doesn’t explicitly say if it’s a state-sponsored player or not, but it does argue that this is most likely the work of an Advanced Persistent Threat (APT) and these are mostly state-sponsored, researchers would agree.
"The malware payload encompasses multiple modules, enabling the actor to perform as an APT, as a crypto miner, and even as a ransomware group," Kaspersky says in its report.
"Notably, the Monero cryptocurrency mined by this module reached its peak value at $542.33 on January 9, 2018, compared to its 2017 value of around $10. As of 2023, it has maintained a value of approximately $150."
"Kaspersky experts emphasize that the mining module is the primary factor enabling the malware to evade detection for an extended period."
- phen0men4, Adenman and Karlston
- 3
Recommended Comments
There are no comments to display.
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.