Global cybersecurity and digital privacy firm Kaspersky’s researchers have discovered highly sophisticated malware affecting over a million victims since 2017.
The malware – “StripedFly” – initially masqueraded as a cryptocurrency miner and was later found to be a complex multi-functional wormable framework. According to the Kaspersky report published Thursday, StripedFly infected over 1 million Windows and Linux computers for five years.
“It comes equipped with a built-in TOR network tunnel for communication with command servers, along with update and delivery functionality through trusted services such as GitLab, GitHub, and Bitbucket, all using custom encrypted archives.”
Kaspersky researchers discovered the malicious framework last year and noted that the effort in creating the framework was “truly remarkable.”
“In 2022, we came across two unexpected detections within the WININIT.EXE process of an older code which was earlier observed in Equation malware,” the researchers wrote. “Subsequent analysis revealed earlier instances of suspicious code dating back to 2017.”
The malware was wrongly classified as just a Monero cryptocurrency miner and it is unclear whether this was utilized for revenue generation or cyber espionage. Experts maintained that the mining module was the key factor enabling the malware to evade detection for a long period.
The findings further added that the attacker behind the malware has acquired extensive capabilities to spy on victims. The malware “collects a range of sensitive information from all active users,” it added.
It extracts website login usernames and passwords and personal autofill data including name, address, phone number, company, and job title. “It also captures known Wi-Fi network names and the associated passwords,” the report revealed.
StripedFly’s origins remain unknown however further investigations reveal that the malware uses similar techniques as EternalBlue ‘SMBv1’ exploit to infiltrate the victim’s systems.
EternalBlue was leaked in April 2017 and continues to threaten unpatched Windows servers. The infamous exploit was created and used by an NSA hacking group known as the Equation Group.
Kaspersky disclosed that StripedFly was initially detected in April 2016, a year before the EternalBlue detection. In early 2017, Microsoft released a patch for the EternalBlue exploit.
“Created quite some time ago, StripedFly has undoubtedly fulfilled its intended purpose by successfully evading detection over the years. Many high-profile and sophisticated malicious software have been investigated, but this one stands out and truly deserves attention and recognition.”