StripedFly Malware Operated Undetected for 5 Years, Infecting 1 Million Devices

StripedFly Malware

An advanced strain of malware masquerading as a cryptocurrency miner has managed to fly under the radar for more than five years, infecting no less than a million devices worldwide in the process.

That’s according to findings from Kaspersky, which codenamed the threat StripedFlywhich describes it as an “intricate modular framework that supports Linux and Windows.”

The Russian cybersecurity vendor, which first spotted the samples in 2017, said the miner was part of a larger entity that used a custom EternalBlue SMBv1 exploit attributed to the Equation Group to infiltrate publicly accessible systems.

The malicious shellcode, delivered via an exploit, has the ability to download binary files from a remote Bitbucket repository as well as execute PowerShell scripts. It also supports a collection of plugin-like extensible features to harvest sensitive data and even uninstall itself.

The platform shellcode is injected into the wininit.exe processa legitimate Windows process started by the boot manager (BOOTMGR) and manages the GETTING on different services.

“The malware payload itself is structured as a monolithic binary executable code designed to support pluggable modules to extend or update its functionality,” security researchers Sergey Belov, Vilen Kamalov, and Sergey Lozhkin. SAYS in a technical report published last week.

“It is equipped with a built-in TOR network tunnel for communication with command servers, along with update and delivery functionality through trusted services such as GitLab, GitHub, and Bitbucket, all using the custom encrypted archives.”


Some popular spy modules allow it to collect credentials every two hours, take screenshots of the victim’s device without detection, record microphone input, and start a reverse proxy to execute the distant actions.

Having gained a successful foothold, the malware proceeds to disable the SMBv1 protocol on the infected host and spread the malware to other machines using a worming module via SMB and SSH, using keys which are harvested in hacked systems.

StripedFly achieves persistence by modifying the Windows Registry or by creating entries in the task scheduler when the PowerShell interpreter is installed and administrative access is available. On Linux, persistence is done through a systemd user service, autostarted .desktop file, or by modifying the /etc/rc*, profile, bashrc, or inittab files.

Also downloaded is a Monero cryptocurrency miner that uses DNS over HTTPS (DoH) requests to resolve pool servers, adding an extra layer of stealth to malicious activities. It is assessed that the miner is used as a decoy to prevent security software from detecting the full potential of the malware.

In an effort to minimize the footprint, malware components that can be offloaded are hosted as encrypted binaries on various code repository hosting services such as Bitbucket, GitHub, or GitLab.

For example, the Bitbucket repository operated by the threat actor since June 2018 includes executable files capable of serving the initial payload of the infection on Windows and Linux, checking for new updates, and finally updating the malware.

Communication with the command-and-control (C2) server, hosted on the TOR network, takes place using a custom, lightweight implementation of a TOR client that is not based on any publicly documented method.

“The level of dedication shown in this functionality is remarkable,” the researchers said. “The goal of hiding the C2 server at all costs drives the development of a unique and one-time project – the creation of its own TOR client.”

Another unique characteristic is that these repositories act as fallback mechanisms for the malware to download update files when its main source (ie, the C2 server) becomes unresponsive.

Kaspersky says it has additionally found a ransomware family called ThunderCrypt that shares important source code that overlaps with StripedFly’s blocking SMBv1 infection module loss. ThunderCrypt was allegedly used against targets in Taiwan in 2017.

The origins of StripedFly remain unknown today, although the sophistication of the framework and its similarity to EternalBlue show all the hallmarks of an advanced persistent threat (APT) actor.

It’s worth pointing out that while the Shadow Brokers leak of the EternalBlue exploit happened on April 14, 2017, the earliest known version of StripedFly that included EternalBlue dates back a year to April 9, 2016. Since leak, the EternalBlue exploit has been repurposed by North Korean and Russian hacking outfits to spread the WannaCry and Petya malware.


That said, there is also evidence that Chinese hacking groups may have had access to some of Equation Group’s exploits before they were leaked online, as Check Point disclosed in February 2021.

Similarities to the malware associated with the Equation group, Kaspersky said, can also be seen in the coding style and practices similar to those seen in STRAITBIZARRE (SBZ), another cyber espionage platform used by the suspected collective enemy of the US.

The development comes nearly two years after researchers from China’s Pangu Lab detailed a “top-tier” backdoor called Bvp47 that Equation Group says is used on more than 287 targets spanning many sectors in 45 countries.

Needless to say, one key aspect of the campaign that remains a mystery – except to those who engineered the malware – is its true purpose.

“While ThunderCrypt ransomware suggests a commercial motive for its authors, it raises the question of why they did not choose a potentially more profitable path,” the researchers said.

“It is hard to accept the idea that such sophisticated and professionally designed malware would serve so little purpose, given all the evidence to the contrary.”

Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Leave a comment