(817) 767-9400 info@novusitinc.com

StripedFly and Malware – A Web of Deception

In the vast cosmos of cybersecurity threats, one name has silently created ripples: StripedFly. But what makes this malware even more compelling is its stealthy nature, operating covertly and infecting millions of systems globally.

StripedFly’s Concealed Footprints

While StripedFly remained undetected for a startling five years, it had already ensnared over a million Windows and Linux systems. It wasn’t until last year that Kaspersky shed light on this clandestine platform, which was previously mislabeled as a mere cryptocurrency miner. Its complex architecture and elaborate concealment strategies, notably its TOR-based communication and self-updating features, speak of its sophisticated design. And given its intricate nature, it’s likely more than just a tool for financial gain; it may very well be an instrument of cyber espionage.

Tracing StripedFly’s Origin

Diving into the timeline, the first instance of StripedFly equipped with an EternalBlue exploit is traced back to April 2016, even before the notorious Shadow Brokers leak in August of the same year. Kaspersky’s discovery showed StripedFly’s code nestled within the WININIT.EXE process of the Windows OS. Their probing led to the revelation that StripedFly doesn’t act alone. It fetches auxiliary files, like PowerShell scripts, from genuine hosting services, a clever ploy to remain under the radar.

Unveiling the Infection Strategy of StripedFly

StripedFly’s game plan is cunning. Initial system breaches likely occurred through its customized EternalBlue SMBv1 exploit, targeting systems accessible via the internet. Once inside, StripedFly safeguards its communications via a custom TOR client and has an arsenal to propagate across both Windows and Linux platforms using a variety of methods including SSH. Its nerve center, the command and control server, thrives in the TOR network. And it’s not just about entering a system; it’s about staying there. Depending on its environment, StripedFly employs multiple techniques to maintain its foothold.

StripedFly Infection Chain
StripedFly Infection Chain<br>Source Kaspersky

StripedFly’s Illustrious Tally

From April to September 2023, StripedFly was responsible for infecting roughly 60,000 systems, as indicated by the Bitbucket repository. However, since its inception, it’s believed to have affected over a staggering million devices. Such numbers are a testament to StripedFly’s pervasive nature.

Dissecting StripedFly Modules

The genius of StripedFly lies in its modular construct, a swiss-army knife in the world of malware. From storing encrypted configurations to taking remote actions, from executing various commands to data harvesting, StripedFly can do it all. Notably, its ability to masquerade as a Monero miner, particularly during the cryptocurrency’s peak value period, allowed it to evade detection for prolonged periods. While its mining activities might be viewed as a diversion, its true agenda could lean towards data pilfering and system exploitation.

StripedFly – The Silent Cyber Menace

In an age where cyber threats evolve rapidly, StripedFly stands as a testament to the covert dangers lurking in the shadows. It’s not just the immediate threat but the prolonged, undetected presence that makes it a formidable foe in the world of malware.

Contact us to see how we can help with your IT and Security needs.

Like what you read?  Follow us on Facebook, LinkedIn, Instagram, and Mastodon!