Carding 4 Carders
Professional
Researchers have discovered a previously unknown and complex StripedFly malware. Since 2017, its victims have been more than a million users worldwide, and it is still used (although less actively). Previously, it was believed that malware is a regular miner, but it turned out that this is a complex threat with a multifunctional workable framework.
Kaspersky Lab experts say that in 2022, two incidents were detected using StripedFly. Both turned out to be related to a system process wininit.exe in Windows, in which the code sequence that was previously used in the malvari Equation was noticed.
StripedFly attack scheme
The analysis showed that the malicious code downloaded and executed additional files (for example, PowerShell scripts) from legitimate hosting services, including Bitbucket, GitHub, and GitLab.
Although the activity of the samples found continued at least since 2017, it was not immediately thoroughly studied, since it was initially mistaken for a regular cryptocurrency miner. Only after a comprehensive study, it turned out that the miner is only part of a more complex multi — platform structure with many plugins.
The researchers came to the conclusion that many modules allow attackers to use StripedFly as part of APT attacks, like a cryptocurrency miner or even a ransomware program. Accordingly, the list of possible motives of intruders is significantly expanded-from financial gain to espionage.
At the same time, the report notes that the value of the Monero cryptocurrency extracted using the malicious module reached $ 542.33 at its peak on January 9, 2018 (for comparison, in 2017 its price was about $ 10). Now, in 2023, the value of the cryptocurrency is kept at the level of $ 150.
The use of the miner is considered by researchers as a red herring, and the main goals of intruders are data theft and hacking systems using other modules. Moreover, the module for mining is a key factor, because of which the threat was not fully detected for a long time.
In addition to mining, attackers have many opportunities to covertly spy on victims. Malware collects credentials every two hours: This can include usernames and passwords for logging in to the site or connecting to Wi-Fi, or personal data of a person, including name, address, phone number, place of work and position. StripedFly can also discreetly take screenshots on the victim's device, gain full control over it, and even record voice data from the microphone.
Interestingly, the source of the initial infection remained unknown for a long time. Further investigation revealed that the attackers were using their own implementation of the EternalBlue "SMBv1" exploit for this purpose.
So, the final StripedFly payload (system.img) includes a custom lightweight Tor client to protect network communications from interception (the control server is located in Tor), can disable the SMBv1 protocol, and can also be distributed to other devices running Windows and Linux using SSH and the already mentioned EternalBlue exploit.
The Bitbucket repository, which delivers the last stage payload to Windows systems, shows that about 60,000 infections were made from April 2023 to September 2023.
According to experts, since February 2022, StripedFly has infected at least 220,000 Windows systems, but statistics for an earlier period are not available, and the repository itself was created in 2018. As a result, according to the researchers, StripedFly has already infected at least a million devices in total.
It is also worth noting that the researchers found a connection between StripedFly and the old ThunderCrypt cryptographer, which appeared back in 2017. In particular, both malware programs use the same codebase and interact with the same management server located at ghtyqipha6mcwxiz [.] onion:1111.
In terms of functionality and a set of modules, ThunderCrypt turned out to be surprisingly similar to StripedFly. Here, too, there is a Tor client, a configuration repository, a malware update/removal module, and a module for conducting intelligence. There is only one notable exception — the absence of the SMBv1 infection module.
"What is the true purpose of [StripedFly]? This remains a mystery. Although the ThunderCrypt ransomware suggests a financial motive for its authors, one wonders why they didn't choose a more lucrative path. Usually, ransomware authors collect anonymous ransoms, but this case seems to be an exception.
The question remains open, and only the people who created this mysterious malware know the answer. It is difficult to accept the idea that such sophisticated and professionally designed malware can serve such trivial purposes, given that all the evidence suggests otherwise," the analysts conclude.
Kaspersky Lab experts say that in 2022, two incidents were detected using StripedFly. Both turned out to be related to a system process wininit.exe in Windows, in which the code sequence that was previously used in the malvari Equation was noticed.
StripedFly attack scheme
The analysis showed that the malicious code downloaded and executed additional files (for example, PowerShell scripts) from legitimate hosting services, including Bitbucket, GitHub, and GitLab.
Although the activity of the samples found continued at least since 2017, it was not immediately thoroughly studied, since it was initially mistaken for a regular cryptocurrency miner. Only after a comprehensive study, it turned out that the miner is only part of a more complex multi — platform structure with many plugins.
The researchers came to the conclusion that many modules allow attackers to use StripedFly as part of APT attacks, like a cryptocurrency miner or even a ransomware program. Accordingly, the list of possible motives of intruders is significantly expanded-from financial gain to espionage.
At the same time, the report notes that the value of the Monero cryptocurrency extracted using the malicious module reached $ 542.33 at its peak on January 9, 2018 (for comparison, in 2017 its price was about $ 10). Now, in 2023, the value of the cryptocurrency is kept at the level of $ 150.
The use of the miner is considered by researchers as a red herring, and the main goals of intruders are data theft and hacking systems using other modules. Moreover, the module for mining is a key factor, because of which the threat was not fully detected for a long time.
In addition to mining, attackers have many opportunities to covertly spy on victims. Malware collects credentials every two hours: This can include usernames and passwords for logging in to the site or connecting to Wi-Fi, or personal data of a person, including name, address, phone number, place of work and position. StripedFly can also discreetly take screenshots on the victim's device, gain full control over it, and even record voice data from the microphone.
Interestingly, the source of the initial infection remained unknown for a long time. Further investigation revealed that the attackers were using their own implementation of the EternalBlue "SMBv1" exploit for this purpose.
So, the final StripedFly payload (system.img) includes a custom lightweight Tor client to protect network communications from interception (the control server is located in Tor), can disable the SMBv1 protocol, and can also be distributed to other devices running Windows and Linux using SSH and the already mentioned EternalBlue exploit.
The Bitbucket repository, which delivers the last stage payload to Windows systems, shows that about 60,000 infections were made from April 2023 to September 2023.
According to experts, since February 2022, StripedFly has infected at least 220,000 Windows systems, but statistics for an earlier period are not available, and the repository itself was created in 2018. As a result, according to the researchers, StripedFly has already infected at least a million devices in total.
It is also worth noting that the researchers found a connection between StripedFly and the old ThunderCrypt cryptographer, which appeared back in 2017. In particular, both malware programs use the same codebase and interact with the same management server located at ghtyqipha6mcwxiz [.] onion:1111.
In terms of functionality and a set of modules, ThunderCrypt turned out to be surprisingly similar to StripedFly. Here, too, there is a Tor client, a configuration repository, a malware update/removal module, and a module for conducting intelligence. There is only one notable exception — the absence of the SMBv1 infection module.
"What is the true purpose of [StripedFly]? This remains a mystery. Although the ThunderCrypt ransomware suggests a financial motive for its authors, one wonders why they didn't choose a more lucrative path. Usually, ransomware authors collect anonymous ransoms, but this case seems to be an exception.
The question remains open, and only the people who created this mysterious malware know the answer. It is difficult to accept the idea that such sophisticated and professionally designed malware can serve such trivial purposes, given that all the evidence suggests otherwise," the analysts conclude.
