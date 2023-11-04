An advanced version of malware that hides behind the guise of a cryptocurrency miner has managed to escape attention for over five years, infecting at least one million devices worldwide in the process; this is what emerges from the findings of Kaspersky, which gave the code name to the threat “StripedFly”, describing it as an “intricate modular framework that supports both Linux and Windows”.

What is known about StripedFly

The Russian cybersecurity vendor, which first spotted the samples in 2017, said the miner is part of a much larger entity using a custom vulnerability EternalBlue SMBv1 attributed to the Equation group for infiltrating publicly accessible systems.

The malicious code, delivered via the vulnerability, has the ability to download binary files from a remote Bitbucket repository and execute PowerShell scripts that it also supports a number of expandable plugin-like features to collect sensitive data and even uninstall itself.

The platform’s shell code is injected into the process wininit.exe, a legitimate Windows process started by the boot manager (BOOTMGR) that handles theinitialization Of various services.

“The malware payload itself is structured as a designed monolithic executable binary code to support plug-in modules to extend or upgrade its functionality“, they have stated security researchers Sergey Belov, Vilen Kamalov and Sergey Lozhkin in a technical report published last week. “It features a built-in TOR network tunnel for communication with command serversplus update and delivery capabilities via trusted services like GitLab, GitHub, and Bitbucket, using custom encrypted repositories“.

Other notable spy modules allow you to collect credentials every two hours, take screenshots on the victim’s device without being detected, record microphone input thanks to StripedFly, and launch a reverse proxy to perform remote actions.

After gaining a successful foothold, the malware proceeds to disable the SMBv1 protocol on the infected host and spread the malware to other machines using a propagation module via both SMB and SSH, using keys collected in compromised systems.

StripedFly achieves persistence by editing the Windows registry or creating entries in the task scheduler if the PowerShell interpreter is installed and administrative access is available; on Linux, persistence is achieved through a systemd user servicea .desktop file started automatically, or by editing /etc/rc*, profile, bashrc, or inittab files.

Also downloaded is a Monero cryptocurrency miner that leverages DNS over HTTPS (DoH) requests to resolve pool servers, adding an additional layer of stealth to malicious activity; it has been estimated that the StripedFly it is used as bait to prevent security software from discovering the full extent of the malware’s capabilities.

In an effort to minimize the footprintthe malware components that can be downloaded are hosted as encrypted binaries on various repository hosting services of code like Bitbucket, GitHub or GitLab.

For example, the Bitbucket repository operated by the hacker since June 2018 includes executable files capable of serving the initial infection payload on Windows and Linux, check for new updates and, eventually, update the malware.

Communication with the command and control (C2) server, hosted in the TOR network, occurs using a custom, lightweight implementation of a TOR client that does not rely on publicly documented methods.

“The level of dedication demonstrated by this feature is remarkable“said the researchers. “The goal of hiding the C2 server at all costs drove the development of a unique and expensive project: creating your own TOR client“.

Another surprising feature is that these repositories act as fallback mechanisms for malware to download update files when the primary source (i.e. the C2 server) becomes unresponsive.

Kaspersky also discovered a ransomware family called ThunderCrypt that shares significant source code overlap with StripedFly, except for the SMBv1 infection module; it is believed that ThunderCrypt was used against targets in Taiwan in 2017.

StripedFly’s origins currently remain unknownalthough the sophistication of the framework and the similarities with EternalBlue show all the traits of an attacker with advanced cyber knowledge, with an advanced persistent attack (APT).

It is important to note that while the Shadow Brokers’ release of the EternalBlue exploit occurred on April 14, 2017, the oldest identified version of StripedFly incorporating EternalBlue dates back a year earlier, to April 9, 2016; After publication, the EternalBlue exploit was reused by North Korean and Russian hacking groups to spread the WannaCry and Petya malware.

That said, there is also evidence that Chinese hacking groups may have had access to some of the Equation Group’s exploits before they were made available online, as revealed by Check Point in February 2021.

Similarities to malware associated with the Equation group, Kaspersky said, are also reflected in coding style and practices similar to those seen in STRAITBIZARRE (SBZ), another spy platform cybernetic employed by the opposing collective suspected of being linked to the United States.

The development comes nearly two years after researchers at China’s Pangu Lab detailed a “prominent backdoor” called Bvp47 which would be used by the Equation Group on over 287 targets in various industries in 45 countries; It goes without saying that a crucial aspect of the campaign that continues to be a mystery, except to those who created the malware, is its actual purpose.

“While the ThunderCrypt ransomware suggests a commercial motive for its authors, it raises the question of why they didn’t opt ​​for a potentially more lucrative route“the researchers said. “It is difficult to accept the idea that such sophisticated and professionally designed malware could serve such a trivial purpose, given all the data to the contrary“.