StripedFly Malware Operated Stealthily for 5 Years, Infecting Over 1 Million Devices

In a shocking revelation, there is advanced strain of malware that posed, successfully evading detection for more than five years and infecting over one million devices worldwide. This malware, codenamed StripedFly, is described as an intricate modular framework capable of targeting both Linux and Windows systems.

This malware first identified samples of StripedFly back in 2017. This malware is part of a larger entity that employs a custom EternalBlue SMBv1 exploit, initially attributed to the Equation Group, to infiltrate publicly accessible systems.

The malicious shellcode delivered through the exploit is capable of downloading binary files from a remote Bitbucket repository and executing PowerShell scripts. It also supports various expandable features, akin to plugins, allowing it to harvest sensitive data and even uninstall itself.

To maintain stealth, the malware injects its shellcode into the legitimate wininit.exe process, which is essential for initializing various Windows services. The malware’s payload is designed as a monolithic binary executable code that can support pluggable modules, extending or updating its functionality.

Furthermore, StripedFly uses a built-in TOR network tunnel to communicate with its command servers and utilizes trusted services like GitLab, GitHub, and Bitbucket for update and delivery functionality, all secured with custom encrypted archives.

Among its spy modules, StripedFly can gather credentials at two-hour intervals, capture screenshots on the victim’s device without detection, record microphone input, and create a reverse proxy for remote actions.

Upon infiltrating a system, StripedFly disables the SMBv1 protocol and propagates itself to other machines using a worming module via both SMB and SSH, leveraging keys harvested from compromised systems.

The malware establishes persistence by modifying the Windows Registry or creating task scheduler entries, provided the system has the PowerShell interpreter and administrative access. On Linux, persistence is achieved through a systemd user service, autostarted .desktop file, or modifications to various system files.

Additionally, StripedFly uses DNS over HTTPS (DoH) requests to resolve pool servers, enhancing its stealth. This miner acts as a decoy to mask the full extent of the malware’s capabilities from security software.

To reduce its footprint, components of the malware that can be offloaded are hosted as encrypted binaries on code repository hosting services like Bitbucket, GitHub, and GitLab. For instance, the Bitbucket repository, operational since June 2018, contains executable files for spreading the initial infection payload on both Windows and Linux systems and checking for updates.

Strikingly, StripedFly’s communication with its command-and-control (C2) server, hosted on the TOR network, utilizes a custom TOR client, distinct from publicly documented methods, highlighting the dedication of its creators to hide the C2 server at all costs.

Moreover, these repositories serve as fallback mechanisms for the malware to download update files when the primary C2 server becomes unresponsive. There is also discovered a ransomware family called ThunderCrypt that shares significant source code overlaps with StripedFly, albeit without the SMBv1 infection module. ThunderCrypt was used against targets in Taiwan in 2017.

The origins of StripedFly remain unknown, but its sophistication and parallels to EternalBlue suggest an advanced persistent threat (APT) actor may be behind it.

Notably, the earliest version of StripedFly that incorporated EternalBlue dates back to April 9, 2016, predating the Shadow Brokers’ leak of the exploit on April 14, 2017. Since the leak, the EternalBlue exploit has been repurposed by various hacking groups, including North Korean and Russian outfits responsible for spreading the WannaCry and Petya malware.

There is evidence suggesting that Chinese hacking groups may have had access to Equation Group exploits before they were leaked online, as reported by Check Point in February 2021. The coding style and practices of StripedFly also reflect similarities with malware associated with the Equation group, such as STRAITBIZARRE (SBZ), a cyber espionage platform linked to a suspected U.S.-linked adversarial collective.

Despite these discoveries, the true purpose of StripedFly remains a mystery, leaving security experts puzzled as to why such a sophisticated and professionally designed malware would serve what appears to be a trivial motive.

To mitigate the risk of long-term malware infiltration, organizations must invest in robust cybersecurity practices. Regularly updating software, especially for known vulnerabilities is crucial. Employing intrusion detection systems and implementing network monitoring can help identify unusual activities.