Cybersecurity researchers at Kaspersky have discovered an ‘impressive’ malware threat that has been hiding in plain sight for half a decade.
The first evidence of activity from the malware, called StripedFly, dates back to 2017, Kaspersky claims, where the malware was discovered at some point but dismissed as a “mere” cryptocurrency miner.
However, new research has revealed that StripedFly is capable of much more than just mining cryptocurrency: it can remotely execute commands, take screenshots and execute shellcodes, steal passwords and other sensitive data, record sounds with its integrated microphone, send to adjacent end points. use previously stolen credentials, abuse the EternalBlue exploit to compromise other systems, and finally, my Monero.
Mining Monero
In fact, Monero mining is now seen as a diversionary attempt to deter researchers and prevent them from further analyzing the code.
The tactic appears to have worked, as a million devices are said to have been compromised in the meantime. The key word here is “allegedly” because even Kaspersky can’t know for sure. The only actual data the researchers managed to obtain comes from a Bitbucket repository that provided the final stage of the payload, showing 220,000 Windows infections since February 2022. Since the repository was created in 2018, previous data has been not available anymore. But Kaspersky estimates at least a million infections, especially since StripedFly targets both Windows and Linux endpoints.
There’s no word on who could be behind this giant of a platform. Kaspersky does not explicitly say whether it is a state-sponsored actor or not, but does claim that this is most likely the work of an Advanced Persistent Threat (APT) and that these are largely state-sponsored, the researchers agree.
“The malware payload includes multiple modules, allowing the actor to act as an APT, a crypto miner and even a ransomware group,” Kaspersky said in its report.
“Notably, the Monero cryptocurrency mined by this module reached its peak value of $542.33 on January 9, 2018, up from its value of around $10 in 2017. As of 2023, it has maintained a value of around $150.”
“Kaspersky experts emphasize that the mining module is the main factor that allows the malware to evade detection for an extended period of time.”