StripedFly: The Deceptive Malware Infecting Windows and Linux

Kaspersky Lab experts have uncovered a complex malicious campaign named StripedFly, previously unknown and intricately designed. Since 2017, the operation has impacted over a million users globally. Though its intensity wanes, the threat remains active and poses grave danger.

For a long period, StripedFly was believed to be a mere cryptominer. However, deeper analysis revealed it to be a multifaceted program equipped with a multifunctional framework. This malware is capable of executing diverse attacks and boasts numerous modules, making it a versatile tool for malefactors.

In 2022, specialists from the Global Research and Analysis Team (GReAT) of Kaspersky Lab detected two new incidents linked to StripedFly malware. Both were associated with the wininit.exe system process in the Windows operating system. Traces led to the discovery of code sequences formerly affiliated with the notorious Equation malware. It emerged that StripedFly is merely a component of a more intricate structure boasting an array of plugins, offering cybercriminals vast capabilities.

The malicious module offers myriad options, allowing its deployment in Advanced Persistent Threat (APT) attacks, for cryptocurrency mining, or even ransomware purposes. This implies that adversaries might have varied motives, ranging from financial gains to espionage. Intriguingly, the Monero cryptocurrency mining module embedded in StripedFly managed to remain covert for an extended period, owing to its efficiency.

Furthermore, StripedFly provides malefactors with a plethora of stealth espionage capabilities. The malware harvests various credentials, encompassing logins and passwords, in addition to personal user data. It also possesses the ability to capture screen images and even record audio from microphones.

Researchers also disclosed that StripedFly propagates via the EternalBlue exploit of the Microsoft Server Message Block (SMB) vulnerability, detected in 2017. Although Microsoft released a patch, not every user updated their systems, rendering the threat persistent.

Similarities with Equation were identified through various indicators, including signatures, coding style, and attack methodologies. According to Kaspersky Lab, StripedFly malware targets over a million users worldwide.

Kaspersky Lab emphasized the impressive effort invested in the framework’s creation. The primary challenge for cybersecurity experts is the adversaries’ relentless adaptability to evolving conditions. Hence, researchers must consolidate efforts in identifying intricate cyber threats, while users must remain vigilant about comprehensive cyberattack protection.