A covert and sophisticated strain of malware named StripedFly has silently navigated the digital realm, eluding detection for over half a decade. Kaspersky, the renowned Russian cybersecurity vendor, has unveiled the inner workings of this insidious malware. The StripedFly malware has been categorized as an advanced modular framework capable of seamlessly infiltrating both Linux and Windows systems.
The Stealthy Invasion of StripedFly
Initially detected by Kaspersky in 2017, StripedFly operates as part of a larger entity employing a custom EternalBlue SMBv1 exploit, famously associated with the Equation Group. This exploit serves as the gateway for the malware to infiltrate publicly-accessible systems, deploying a malicious shellcode with the prowess to download binary files from remote repositories on Bitbucket and execute PowerShell scripts.
The malware’s complexity is highlighted by its integration into the legitimate wininit.exe process, a Windows initialization mechanism. Described as a monolithic binary executable code, StripedFly is designed to support pluggable modules, providing the attackers with the flexibility to extend or update its functionality seamlessly.
A Multifaceted Threat
StripedFly doesn’t stop at mere infiltration; it goes on to disable the SMBv1 protocol on infected hosts, spreading its malevolence through worming modules via both SMB and SSH. Persistence is achieved through various means, including Windows Registry modifications, task scheduler entries, or on Linux systems, via systemd user services and autostarted files.
Beyond its covert operations, StripedFly downloads a Monero cryptocurrency miner, utilizing DNS over HTTPS (DoH) requests to conceal its presence. This miner acts as a decoy, strategically diverting attention from the malware’s more sinister capabilities and thwarting security software.
Unprecedented Dedication
What sets StripedFly apart is its dedication to stealth and evasion. The malware employs a TOR network tunnel for communication with command servers, using custom encrypted archives hosted on trusted services like GitLab, GitHub, and Bitbucket. The malware even features its own lightweight TOR client, a testament to the lengths to which the threat actors have gone to conceal their command-and-control (C2) server.
The repositories, acting as fallback mechanisms, ensure the malware’s continuity even if the primary C2 server becomes unresponsive, showcasing a level of sophistication rarely seen in cyber threats.
Parallels with the EternalBlue Exploit
Kaspersky’s investigation unveiled intriguing parallels between StripedFly and the Equation Group’s exploits, particularly the infamous EternalBlue. This connection hints at the involvement of an advanced persistent threat (APT) actor, raising questions about the true origins and motives behind StripedFly’s creation.
Despite the compelling evidence, the real purpose of StripedFly remains shrouded in mystery. The enigma deepens as the malware’s coding style mirrors that of STRAITBIZARRE (SBZ), an espionage platform associated with a suspected U.S.-linked adversarial collective.
Unanswered Questions
As cybersecurity researchers grapple with the curious nature of StripedFly, questions linger about its ultimate objective. While the ransomware variant ThunderCrypt, sharing significant code overlaps, suggests a potential commercial motive, the sophisticated design and deployment of StripedFly challenge conventional assumptions about the intent behind such advanced malware.