A sophisticated and covert cross-platform malware framework, known as StripedFly, has managed to infect over a million Windows and Linux systems over a five-year period, evading the scrutiny of cybersecurity researchers. Kaspersky, however, uncovered the true nature of StripedFly in the past year, identifying its activity dating back to 2017.
Initially misclassified as a Monero cryptocurrency miner, this malware is now recognized for its impressive capabilities, including TOR-based traffic concealment, autonomous updates from trusted sources, and a custom EternalBlue SMBv1 exploit developed prior to its public disclosure. Although the malware’s exact purpose remains unclear, its level of sophistication suggests it might be an advanced persistent threat (APT).
The malware’s initial discovery occurred when Kaspersky found its shellcode injected into the WININIT.EXE process, a legitimate Windows OS process. Investigating the injected code revealed that StripedFly downloads and executes additional files from trustworthy hosting services such as Bitbucket, GitHub, and GitLab.
These infected devices were likely first breached through a custom EternalBlue SMBv1 exploit targeting internet-exposed computers. StripedFly also employs a custom TOR network client to protect its communications, allowing it to disable SMBv1 protocol and spread across Windows and Linux devices using SSH and EternalBlue. The command and control (C2) server operates on the TOR network, communicating with victims through frequent beacon messages containing unique IDs.
StripedFly’s persistence on Windows systems adapts to privilege levels and the presence of PowerShell. For Linux systems, it operates under the name ‘sd-pam’ and maintains persistence through systemd services, autostarting .desktop files, or modifications to various profile and startup files. Kaspersky’s analysis suggests that StripedFly has infected at least 220,000 Windows systems since February 2022, and it is estimated to have infected over one million devices in total. This malware operates as a monolithic binary with pluggable modules, providing operational versatility.
These modules include configuration storage, update/uninstall management, reverse proxy, miscellaneous command execution, credential harvesting, repeatable tasks under specific conditions, system reconnaissance, SSH and SMBv1 infection, and Monero mining, used as a diversion tactic while its primary objectives include data theft and system exploitation.
Researchers also found links between StripedFly and the ransomware variant ThunderCrypt, indicating a connection to the same C2 server. The presence of a ‘repeatable tasks module’ suggests potential interest in revenue generation through some victims.