Cyber security News
From Search Results to Malware Lures: SEO Poisoning
Qakbot: The Evil Duck Reappears
Structural Foundations of Windows Architecture
LockBit 3.0 and Citrix Bleed Vulnerability (CVE-2023-4966)
Generative AI and Cybersecurity: New Threat Landscape
LockBit Ransomware Surge in 2023: A Record-Breaking Menace
Microsoft’s November 2023 Patch:Confronts Five Zero-Day Threats
Threat of Malvertising in the Cybersecurity Landscape
Cybersecurity News: Nov 5-Nov 11
What it takes to be a proficient threat hunter

Secknowers

The one who knows Security

Threat Intel

News Threat Intel

StripedFly:Malware Hidden as a Cryptominer

StripedFly malware is a highly sophisticated and stealthy maware that has been in operation since at least 2017, affecting over a million victims globally. Initially masquerading as a cryptocurrency miner, deeper analysis unveiled its multifaceted capabilities extending far beyond cryptocurrency mining. Here are the key aspects of StripedFly malware based on various reports and additional insights.

Architecture

Based on the report published by Kaspersky, StripedFly operates as a monolithic binary executable with pluggable modules. This design allows for operational versatility often found in Advanced Persistent Threat (APT) operations. The modular nature of StripedFly enables the addition of various functionalities without altering the core structure of the malware, making it a flexible and adaptable threat.

StripedFly Windows execution flow (Kaspersky)

StripedFly Windows execution flow (Kaspersky)

Evolution

Initially functioning as a cryptocurrency miner, StripedFly was later discovered to have a complex, multifunctional wormable framework. This framework enables the malware to function as an APT, a crypto miner, and potentially even as a ransomware group, indicating a possible evolution in motives from financial gain to espionage over time.

Impact

StripedFly has had a significant impact with a global reach, affecting over a million Windows and Linux computers worldwide since 2016 or 2017. This global reach illustrates the significant threat posed by StripedFly to both individual and organizational cybersecurity, transcending geographical and platform boundaries.

Modus Operandi

StripedFly harvests credentials every two hours, collecting a range of sensitive data including site and WiFi login credentials, and personal information. It can capture screenshots, exert significant control over infected machines, and even record microphone input without detection, underlining its invasive and persistent nature.

Infection Vector

The initial infection vector was uncovered as a custom-made EternalBlue ‘SMBv1′ exploit used to infiltrate victims’ systems. Despite the public disclosure of the EternalBlue vulnerability in 2017 and the subsequent release of a patch by Microsoft, many users failed to update their systems, leaving a significant number of computers vulnerable to StripedFly exploitation.

Discovery and Analysis

StripedFly’s sophisticated nature allowed it to evade detection for a prolonged period, being misclassified as a mere cryptocurrency miner. The extensive analysis conducted by cybersecurity researchers unveiled the remarkable effort invested in creating this malicious framework and highlighted the necessity for continuous research and vigilance in the cybersecurity domain.

Cross-Platform Nature

StripedFly is identified as a cross-platform malware capable of infecting both Windows and Linux systems. Its cross-platform nature broadens the scope of potential victims and presents a challenge for cybersecurity measures across different operating environments .

Attack Mitre Techniques

Att&ck IDs
T1210 – Exploitation of Remote Services 
 T1564 – Hide Artifacts 
 TA0004 – Privilege Escalation 
 T1053 – Scheduled Task/Job 
 T1060 – Registry Run Keys / Startup Folder 
 T1094 – Custom Command and Control Protocol 
 T1573 – Encrypted Channel 

Alientvault OTX Pulse

Virustoatal Analysis