The StripedFly cryptominer, which was initially believed to be a simple piece of criminal malware designed for cryptomining, has been revealed to be much more sinister. The discovery was made by cybersecurity company Kaspersky in 2017, but at that time, they dismissed it as uninteresting and unsuccessful, only yielding small amounts of cryptocurrency. However, it has now been discovered that StripedFly is actually an espionage operation masquerading as a cryptominer.
According to Kim Zetter’s Zero Day newsletter, StripedFly is a carefully designed espionage toolset that cleverly disguised itself as a stumblebum criminal operation. It turns out that the purpose of StripedFly was not to mine cryptocurrency, but rather to collect valuable information. The malware includes components for harvesting credentials, stealing files, capturing screenshots, and recording conversations. Additionally, it has an updating function that allows the attackers to push out new versions whenever Windows and Linux operating systems are updated. The malware is distributed from encrypted archives stored on platforms like GitLab, GitHub, and Bitbucket.
Although the exact attribution of StripedFly remains unknown, the malware used in this operation has a provenance in espionage. The initial access is gained through a variant of EternalBlue, an exploit attributed to the Equation Group, which is widely believed to be associated with the US National Security Agency. EternalBlue was made public by the ShadowBrokers in April 2017, a month after Microsoft had patched the vulnerability. Since then, other actors, including China’s Ministry of State Security, have used variations of EternalBlue. However, it is unclear who is behind StripedFly, but it is undoubtedly an espionage operation rather than a run-of-the-mill criminal scheme.
The fact that StripedFly was able to successfully masquerade as a cryptominer for such a long time is quite significant. Colin Little, a Security Engineer at Centripetal, emphasizes the rarity of a malware framework having such a wide proliferation and long lifespan. He also underscores the importance of threat intelligence in detecting and preventing similar attacks, as it can help identify indicators of compromise. Monitoring for network and endpoint-based indicators, such as the use of Powershell, can provide enterprises with valuable insights into potential threats.
Overall, the discovery of StripedFly as an espionage operation highlights the importance of not underestimating the capabilities and intentions of malicious actors. By disguising themselves as low-grade criminals, they can evade suspicion and carry out sophisticated attacks. Staying vigilant and utilizing effective threat intelligence and monitoring mechanisms are crucial in defending against such deceptive tactics.