Kaspersky has recently uncovered a highly sophisticated modular malware framework that has been silently infiltrating systems since 2017. This malware, StripedFly, was originally misclassified as solely a cryptocurrency miner, but its capabilities extend far beyond mere mining. In the words of Kaspersky, “The effort put into crafting this framework is truly remarkable, and its revelation has been nothing short of astonishing.”
This malware leverages a custom EternalBlue SMBv1 variant to breach its victims’ systems. While the EternalBlue exploit was disclosed in 2017, this custom variant managed to stay under the radar due to its discreet propagation methods.
The initial infection point is the WINNIT.exe process, capable of downloading and executing PowerShell scripts. Kaspersky’s antivirus raised a red flag for Winnit.exe, an integral part of the Windows boot process, and was able to link it to the StripedFly platform. The malware injects shellcode delivered via an SMBv1 exploit to create a framework with plugin-like expandable functionality and an extremely lightweight Tor network client. To further its reach, the malware disables the SMBv1 protocol and seeks to propagate within the local network through SMBv1 exploits and SSH, utilizing credentials harvested from the victim’s machine.
Once inside a system, the malware displays remarkable resilience and adapts its behavior based on the host operating system. In the presence of PowerShell, the malware archives itself in the registry key. On Linux systems, it establishes persistence through various methods, such as incorporating itself into existing files or hiding within systemd services.
The malware archive is hosted on Bitbucket as a set of five compressed custom binary files. Three of these files serve to update the malware and function as the initial infection payload, while the other two files monitor the availability of new updates. The malware primarily receives updates from the C2 server and only interacts with the repository when the C2 server is offline. Approximately one million updates were retrieved from the Bitbucket repository, suggesting that the actual number is likely much higher.
The C2 server operates on the TOR network, linking back to the TOR client that the malware previously downloaded onto the infected host. The TOR client appears to be entirely custom, adding another layer of complexity to the malware.
At regular intervals, the malware initiates TCP connections with the C2 server, transmitting a greeting message containing the victim’s unique ID and subsequently sending an empty beacon message every minute.
StripedFly is a modular framework with many separate components. Kaspersky’s report on StripedFly outlines its various modules:
- Configuration Storage: Securely stores encrypted malware configurations.
- Upgrade/Uninstall: Manages updates and system removal based on commands from the C2 server.
- Reverse Proxy: Allows remote actions within the victim’s network.
- Miscellaneous Command Handler: Executes various commands, such as interacting with the victim’s file system, capturing screenshots, retrieving system information, and executing shellcode received from the C2 server.
- Credential Harvester: Periodically scans for sensitive information, including website login credentials, autofill data, Wi-Fi network details, and credentials from various software clients. It targets popular web browsers as well as lesser-known ones.
- Repeatable Tasks: Performs actions like taking screenshots, executing processes with specific command lines, and recording microphone input, with the condition that specific windows must be visible.
- Recon Module: Compiles extensive system information and transmits it to the C2 server, including details about the operating system, hardware, network, and software present on the victim’s system.
- SSH Infector: Activates after the credential harvester module, targeting SSH keys and credentials, and attempts to infiltrate remote systems.
- SMBv1 Infector: Uses a custom EternalBlue exploit to penetrate Windows systems, modifying registry settings to disable the SMBv1 protocol.
Monero Mining Module:
- Monero Cryptocurrency Mining Module: Operates in a separate process, masquerading as a “chrome.exe” process, mining Monero cryptocurrency. It also conceals DNS resolutions behind DNS over HTTPS requests to Cloudflare’s DNS over HTTPS service.
The Monero mining module is a significant aspect of StripedFly’s functionality. Operating in a separate process, it disguises itself as a “chrome.exe” process. The main module of the malware monitors the mining process and restarts it as needed, while also reporting hash rates, work times, discovered nonces, and error statistics to the C2 server. This module is designed to conceal the malware, but it also opens the door to more lucrative opportunities, such as hunting for unencrypted binary wallets or wallet credentials.
Notably, a previous version of this malware, ThunderCrypt, closely resembled StripedFly in terms of functionality and modules. However, ThunderCrypt lacked the SMBv1 infection module, instead incorporating the file listing component of the repeatable task module into its ransom encryption process.
The origins of StripedFly remain shrouded in mystery. It is undoubtedly a highly complex malware, as evidenced by the extensive efforts to disguise it.