For more than five years, a sophisticated malware outbreak disguising itself as a cryptocurrency miner has evaded detection and infected at least one million machines globally.
The threat known by the codename StripedFly has been identified by Kaspersky as such, and the company describes it as a “intricate modular framework that supports both Linux and Windows.”
The miner is a component of a much broader organization that uses a customized EternalBlue SMBv1 vulnerability attributed to the Equation Group to infect publicly-accessible computers, according to the Russian cybersecurity provider, which first discovered the samples in 2017.
Delivered using the exploit, the malicious shellcode can run PowerShell scripts and retrieve binary files from a remote Bitbucket repository. Additionally, it has a number of extendable, plugin-like characteristics that allow it to capture private information and even remove itself.
The legitimate Windows process wininit.exe, which is launched by the boot manager (BOOTMGR) and manages the initiation of multiple services, is compromised by injecting the platform’s shellcode.
Security experts Sergey Belov, Vilen Kamalov, and Sergey Lozhkin stated in a technical study released last week that “the malware payload itself is structured as a monolithic binary executable code designed to support pluggable modules to extend or update its functionality.”
“It comes equipped with a built-in TOR network tunnel for communication with command servers, along with update and delivery functionality through trusted services such as GitLab, GitHub, and Bitbucket, all using custom encrypted archives.”
It can also collect microphone input, take screenshots on the target’s device covertly, gather credentials every two hours, and launch a reverse proxy to carry out remote operations, among other noteworthy spy modules.
After successfully establishing a foothold, the virus uses keys taken from the compromised systems to disseminate to new computers by disabling the SMBv1 protocol on the compromised host and utilizing a worming module that spreads over SMB and SSH.
StripedFly either modifies the Windows Registry or, in the event that administrative access is granted and the PowerShell interpreter is installed, creates task scheduler entries in order to achieve persistence. Linux users can achieve persistence by editing the /etc/rc*, profile, bashrc, or inittab files, or by using a systemd user service or an autostarted.desktop file.
A Monero cryptocurrency miner that uses DNS over HTTPS (DoH) requests to resolve the pool servers is also downloaded, giving the nefarious activity an additional degree of stealth. According to assessments, the miner serves as a deception to keep protection tools from realizing how powerful the virus is.
Malware components that can be offloaded are housed as encrypted binaries on different code repository hosting platforms like Bitbucket, GitHub, or GitLab in an attempt to reduce the footprint.
For example, the threat actor has been operating a Bitbucket repository since June 2018 and contains executable files that can serve the first payload of the infection on Linux and Windows, search for updates, and eventually upgrade the virus.
A lightweight proprietary implementation of a TOR client is used for communication with the command-and-control (C2) server, which is housed within the TOR network. This implementation does not rely on any publicly available techniques.
The researchers added, “This functionality demonstrates a remarkable level of dedication.” “The goal of hiding the C2 server at all costs drove the development of a unique and time-consuming project – the creation of its own TOR client.”
These repositories serve as a fallback for the virus to obtain update files in the event that its primary source—the C2 server—becomes unresponsive, which is another noteworthy feature.
If the SMBv1 infection module is absent, Kaspersky claims to have discovered a new ransomware family dubbed ThunderCrypt that exhibits substantial source code similarities with StripedFly. It is reported that in 2017, ThunderCrypt was deployed against targets in Taiwan.
Though StripedFly’s origins are still unclear, the advanced persistent threat (APT) actor description fits the framework’s sophistication and similarities to EternalBlue perfectly.
It’s important to note that although the EternalBlue exploit was leaked by the Shadow Brokers on April 14, 2017, the earliest known version of StripedFly to use EternalBlue was discovered on April 9, 2016. Since the revelation, Russian and North Korean hacker groups have repurposed the EternalBlue exploit to disseminate the WannaCry and Petya malware.
Nevertheless, as Check Point revealed in February 2021, there is evidence that Chinese hacking groups might have had access to some of the Equation Group’s exploits prior to their public release.
According to Kaspersky, the coding language and methods of the malware are comparable to those of STRAITBIZARRE (SBZ), another cyber espionage platform used by the antagonistic collective suspected of having ties to the United States.
This development occurs almost two years after researchers at China’s Pangu Lab revealed the details of a “top-tier” backdoor known as Bvp47, which was purportedly used by the Equation Group on over 287 targets in 45 different countries, spanning several sectors.
It goes without saying that the true goal of the campaign is still unknown, except from the people who created the software.
“While ThunderCrypt ransomware suggests a commercial motive for its authors, it raises the question of why they didn’t opt for the potentially more lucrative path instead,” the investigators stated.
“It’s difficult to accept the notion that such sophisticated and professionally designed malware would serve such a trivial purpose, given all the evidence to the contrary.”