Experts of cybersecurity solutions provider Kaspersky uncovered a highly sophisticated malware called StripedFly, previously disguised as a cryptocurrency miner. Operating globally since at least 2017, it was initially mistaken for a simple miner but revealed itself as a complex, multi-functional malware with wormable capabilities.

In 2022, Kaspersky’s security team identified unusual activity within the WININIT.EXE process, resembling code sequences seen in the Equation malware. Despite earlier misclassification as a cryptocurrency miner, further analysis unveiled a more extensive malicious framework incorporating multiple modules.

“The amount of effort invested in creating this framework is truly remarkable, and its unveiling was quite astonishing,” said Sergey Lozhkin, principal security researcher at Kaspersky’s Global Research and Analysis Team (GReAT).

Kaspersky: APT campaign attacks via Safari browser
Kaspersky: APT campaign targets government entities in APAC

This malware, beyond its initial cryptocurrency mining function, operates as an Advanced Persistent Threat (APT), a crypto miner, and potentially even a ransomware group, expanding its motives from financial gain to espionage. The mining module primarily facilitated its prolonged evasion from detection, leveraging the soaring value of Monero cryptocurrency in 2018.

Threat actor

The threat actor behind StripedFly has gained extensive espionage capabilities, harvesting sensitive data like credentials, including site and WIFI logins, personal information like names, addresses, and contact details. It can covertly capture screenshots, gain significant control over infected machines, and record microphone input.

The initial infection vector, revealed through further investigation, exploited the EternalBlue “SMBv1” exploit to infiltrate systems. Despite the patch released by Microsoft in response to the EternalBlue vulnerability in 2017 (MS17-010), many users had not updated their systems, amplifying the threat’s impact.

In the technical analysis, similarities to the Equation malware were observed, indicating a sophisticated design akin to StraitBizzare (SBZ) malware. The estimated number of StripedFly victims globally reached over a million, highlighting its widespread impact.

“Threat actors’ ability to adapt and evolve is a constant challenge, which is why it’s so important for us as researchers to continue to dedicate our efforts to uncovering and disseminating sophisticated cyberthreats, and for customers not to forget about comprehensive protection,” Lozhkin said.