StripedFly Worming Miner Affecting 1 Million Users

Crimeware tool WormGPT: AI for BEC attacks

Previously unknown malware dubbed StripedFly has affected some one million victims globally since 2017, initially acting as a crypto miner but capable of operating as a multi-functional wormable framework, Kaspersky said in a new report.

StripedFly has been previously misclassified as a crypto miner, enabling it to evade detection. But further analysis found that it was part of a complex, multi-platform, multi-plugin malicious framework, capable of performing as an advanced persistent threat, a crypto miner and as a ransomware family, the security provider said.

Kaspersky said that the mining module is the primary factor enabling the malware to evade detection for an extended period. Notably, the Monero cryptocurrency mined by this module has maintained a value of approximately $150 as of 2023, topping out roughly at $542 in early January 2018.

The attacker behind StripedFly has extensive cyber espionage capabilities. Here are some more details:

  • The malware harvests credentials every two hours, pilfering sensitive data such as website and WIFI login credentials, along with personal data, such as name, address, phone number, company and job title.
  • The malware can capture screenshots on the victim's device without detection, gain control over the machine, and record microphone input.
  • Kaspersksy found the use of a custom-made EternalBlue 'SMBv1' exploit to infiltrate the victim's systems.
  • Despite the public disclosure of the EternalBlue vulnerability in 2017, and Microsoft's subsequent release of a patch (designated as MS17-010), the threat it presents remains significant due to many users not having updated their systems.
  • Kaspersky researchers said the StripedFly malware has some similarities associated with the Equation group, including signatures associated with the Equation group malware, and coding style and practices resembling those in the StraitBizzare malware.

"The amount of effort invested in creating this framework is truly remarkable, and its unveiling was quite astonishing," said Sergey Lozhkin, principal security researcher at Kaspersky's global research and analysis team. “Threat actors' ability to adapt and evolve is a constant challenge, which is why it's so important for us as researchers to continue to dedicate our efforts into uncovering and disseminating sophisticated cyberthreats, and for customers not to forget about comprehensive protection."

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.