In 2022, Kaspersky’s Global Research and Analysis Team encountered two unexpected detections within the WININIT.EXE process, triggered by the code sequences that were earlier observed in the Equation malware. StripedFly activity had been ongoing since at least 2017 and had effectively evaded prior analysis, previously being misclassified as a cryptocurrency miner. After conducting a comprehensive examination of the issue, it was discovered that the cryptocurrency miner was merely a component of a much larger entity – a complex, multi-platform, multi-plugin malicious framework.
The malware payload encompasses multiple modules, enabling the actor to perform as an APT, as a crypto miner, and even as a ransomware group, potentially expanding its motives from financial gain to espionage. Notably, the Monero cryptocurrency mined by this module reached its peak value at $542.33 on 9th January 2018, compared to its 2017 value of around $10. As of 2023, it has maintained a value of approximately $150. Kaspersky experts emphasize that the mining module is the primary factor enabling the malware to evade detection for an extended period.
The attacker behind this operation has acquired extensive capabilities to clandestinely spy on victims. The malware harvests credentials every two hours, pilfering sensitive data such as site and WIFI login credentials, along with personal data such as name, address, phone number, company, and job title. Furthermore, the malware can capture screenshots on the victim’s device without detection, gain significant control over the machine, and even record microphone input.
The initial infection vector remained unknown until Kaspersky’s further investigation revealed the use of a custom-made EternalBlue ‘SMBv1’ exploit to infiltrate the victim’s systems. Despite the public disclosure of the EternalBlue vulnerability in 2017, and Microsoft’s subsequent release of a patch (designated as MS17-010), the threat it presents remains significant due to many users not having updated their systems.
During the technical analysis of the campaign, Kaspersky experts observed similarities to the Equation malware. These include technical indicators such as signatures associated with the Equation malware, as well as coding style and practices resembling those seen in the StraitBizzare (SBZ) malware. Based on download counters displayed by the repository where the malware is hosted, the estimated number of StripedFly targets reached over one million victims all around the globe.
‘The amount of effort invested in creating this framework is truly remarkable, and its unveiling was quite astonishing. Threat actors’ ability to adapt and evolve is a constant challenge, which is why it’s so important for us as researchers to continue to dedicate our efforts into uncovering and disseminating sophisticated cyberthreats, and for customers not to forget about comprehensive protection,’ comments Sergey Lozhkin, Principal Security Researcher at Kaspersky’s Global Research and Analysis Team (GReAT).
Read more about StripedFly on Securelist.com.
In order to avoid falling victim to a targeted attack by a known or unknown threat actor, Kaspersky researchers recommend implementing the following measures:
- Update your operating system, applications, and antivirus software regularly to patch any known vulnerabilities.
- Be cautious of emails, messages, or calls asking for sensitive information. Verify the sender’s identity before sharing any personal details or clicking on suspicious links.
- Provide your SOC team with access to the latest threat intelligence (TI). The Kaspersky Threat Intelligence Portal is a single point of access for the company’s TI, providing cyberattack data and insights gathered by Kaspersky spanning over 20 years.
- Upskill your cybersecurity team to tackle the latest targeted threats with Kaspersky online trainingdeveloped by GReAT experts
- For endpoint level detection, investigation, and timely remediation of incidents, implement EDR solutions such as Kaspersky Endpoint Detection and Response.