A highly sophisticated piece of malware posing as a cryptocurrency miner has stayed under the radar for five years, infecting more than one million devices, cybersecurity firm Kaspersky warns.
Dubbed StripedFly, the threat contains code sequences previously observed in the malware used by the threat actor known as the Equation Group, which has been linked to the US National Security Agency.
Designed as a modular framework, StripedFly can target both Windows and Linux and comes with a built-in Tor network tunnel it uses for communication with the command-and-control (C&C) server. It also has update and delivery mechanisms that rely on trusted services, including Bitbucket, GitLab, and GitHub.
“Such an approach is by no means common among APT and crimeware developers, and this notable example underscores the sophistication of this malware against the background of many others. Its functional complexity and elegance remind us of the elegant code implementing delay tolerant Equation communications networking and other libraries, reinforcing its classification as a highly advanced threat,” Kaspersky notes.
StripedFly, the cybersecurity firm says, was initially detected in 2017, when it was misclassified as a cryptocurrency miner, despite its custom EternalBlue SMBv1 exploit that allowed it to spread quietly, avoiding detection by most security solutions.
Based on the presence of PowerShell and its privileges on the system, the malware achieves persistence by modifying Windows registry or by creating scheduler tasks. Various persistence methods are used on Linux as well.
Malware components that can be offloaded are hosted as encrypted binaries on online services. While the download counts on those repositories only reflect the downloads for the latest version, Kaspersky has determined that over one million updates have been downloaded since 2017.
StripedFly’s modules provide either service or extended functionality and are responsible for storing the malware’s configuration, upgrade and uninstall operations, creating a reverse proxy, harvesting credentials and files, taking screenshots, executing processes, recording microphone input, performing reconnaissance, spreading the malware, and mining for Monero.
Kaspersky’s analysis of the malware also revealed multiple similarities with the ThunderCrypt ransomware, such as the presence of a Tor client and multiple modules with the same functionality as StripedFly’s.
Furthermore, the security firm found similarities between StripedFly and the Equation malware, although it has identified “no direct evidence that they are related”.
According to Kaspersky, the purpose of StripedFly remains unclear. What is clear, however, is that it has all the capabilities of an advanced persistent threat, combined with those of ransomware, and that it can be used both for financial gain and espionage.