During one of its researches, the research and analysis team of Kaspersky identified suspicious behavior in the process WININIT.EXE.
In this context it was then possible to identify StripedFlya malware that has been active since at least 2017, until then considered only classified as cryptocurrency miner. In reality, after careful analysis, this turned out to be much more dangerous than expected, given a more complex framework and the possibility of combining the malicious agent with additional plugins.
Apparently, in fact, the malware can be modified at will by its creators by acting not only as a miner, but also as a ransomware or in the context of espionage. Regarding the functions from cryptojackingStripedFly focuses on cryptocurrency Monero.
Malware, as already mentioned, goes much further. There is talk of the possibility of stealing sensitive data and credentials with a two-hour cadence, even going so far as to capture screenshot from the victim’s display or to record themicrophone input.
StripedFly: it all starts from an old vulnerability, ignored by many users
The initial vector of infection remained unknown until further investigation by Kaspersky revealed the use of a exploit EternalBlue “SMBv1” to infiltrate victim systems. Despite the public disclosure of the EternalBlue vulnerability in 2017 and the subsequent release of a patch by Microsoft (specifically the MS17-010), the threat it presents remains significant due to the fact that many users have not updated their operating systems.
During the technical analysis of the campaign, Kaspersky experts observed similarities with another malware, known as Equation. These similarities include similar coding styles and practices and other features that make the two malware almost “brothers”. Based on download counters displayed by the repository where the malware is hosted, the estimated number of targets achieved by StripedFly has exceeded one million victims worldwide.
Sergey LozhkinPrincipal Security Researcher at Kaspersky’s Global Research and Analysis Team (GReAT) stated how “The amount of effort put into creating this facility is truly remarkable and its grand opening was quite surprising. The ability of threat actors to adapt and evolve is a constant challenge, which is why it is so important for us as researchers to continue to dedicate our efforts to discovering and spreading sophisticated cyber threats, and that customers do not forget about comprehensive protection“.