Kaspersky experts have uncovered a previously unknown, highly sophisticated StripedFly malware with global reach affecting over 1-million victims since at least 2017.

Initially acting as a cryptocurrency miner, it turned out to be complex malware with a multi-functional wormable framework.

In 2022, Kaspersky’s Global Research and Analysis Team encountered two unexpected detections within the WININIT.EXE process, triggered by the code sequences that were earlier observed in the Equation malware. This activity had been ongoing since at least 2017 and had effectively evaded prior analysis, previously being misclassified as a cryptocurrency miner.

After conducting a comprehensive examination of the issue, it was discovered that the cryptocurrency miner was merely a component of a much larger entity – a complex, multi-platform, multi-plugin malicious framework.

The malware payload encompasses multiple modules, enabling the actor to perform as an APT, as a crypto miner, and even as a ransomware group, potentially expanding its motives from purely espionage to include financial gain. Notably, the Monero cryptocurrency mined by this module reached its peak value at $542.33 on January 9, 2018, compared to its 2017 value of around $10. As of 2023, it has maintained a value of approximately $150. Kaspersky experts emphasise that the mining module is the primary factor enabling the malware to evade detection for an extended period.

The attacker behind this operation has acquired extensive capabilities to clandestinely spy on victims. The malware harvests credentials every two hours, pilfering sensitive data such as site and WiFi login credentials, along with identifying the victim’s details including their job title. Furthermore, the malware can capture screenshots on the victim’s device without detection, gain significant control over the machine, and even record microphone input.

The initial infection vector remained unknown until Kaspersky’s further investigation revealed the use of a custom-made EternalBlue ‘SMBv1′ exploit to infiltrate the victim’s systems. Despite the public disclosure of the EternalBlue vulnerability in 2017, and Microsoft’s subsequent release of a patch (designated as MS17-010), the threat it presents remains significant due to many users not having updated their systems.

During the technical analysis of the campaign, Kaspersky experts observed similarities to the Equation malware. These include technical indicators such as signatures associated with the Equation malware, as well as coding style and practices resembling those seen in the StraitBizzare (SBZ) malware. Based on download counters displayed by the repository where the malware is hosted, the estimated number of StripedFly targets reached over one million victims all around the globe.

“The amount of effort invested in creating this framework is truly remarkable, and its unveiling was quite astonishing. Cybercriminals’ ability to adapt and evolve is a constant challenge, which is why it’s so important for us as researchers to continue to dedicate our efforts into uncovering and disseminating sophisticated cyberthreats, and for customers not to forget about comprehensive protection from cybercrime,” comments Sergey Lozhkin, principal security researcher at Kaspersky’s Global Research and Analysis Team (GReAT).