StripedFly - a Complex Malware That Evaded Detection for Years

Initially believed to be a simple cryptocurrency mining malware, StripedFly has turned out to be a highly sophisticated espionage platform designed for both Windows and Linux systems, with a staggering number of over 1 million infected victims.

When StripedFly was first identified in 2017, it was mistakenly dismissed as a relatively ineffective crypto-mining malware. However, it has since revealed itself to be a complex modular malware, enabling cyber attackers to maintain a persistent presence in networks, gain extensive visibility into their operations, and exfiltrate data as needed. While it can indeed mine Monero cryptocurrency, its capabilities go far beyond this, as discovered by security researchers who conducted a thorough investigation before sharing their findings.

In essence, StripedFly is now considered a prime example of advanced persistent threat (APT) malware. It includes an embedded Tor network tunnel for communication with command-and-control (C2) servers and features update and delivery mechanisms through trusted platforms like GitLab, GitHub, and Bitbucket, all with custom encrypted archives.

Moreover, researchers have observed that StripedFly has already infected more than 1 million systems. They obtained this information from a Bitbucket repository linked to the malware, created on June 21, 2018, under the account of someone using the name Julie Heilman. The fact that it has remained undetected for around six years is particularly astounding.

StripedFly's Internals

StrippedFly's structure comprises a monolithic binary executable code with pluggable modules, allowing attackers to expand or enhance its functionality. Each module manages its own callback function for communication with a C2 server.

Upon infiltrating a network, StripedFly initially appears as PowerShell, utilizing a server message block (SMB) exploit, which seems to be a customized version of EternalBlue (leaked in April 2017) for entering unpatched Windows servers.

The malware employs various persistence methods based on factors like the availability of the PowerShell interpreter and process privileges. Generally, the malware runs with administrative privileges when installed through the exploit and with user-level privileges when delivered via the Cygwin SSH server.

In terms of modules, StripedFly features three service modules for configuration storage, malware updates, and removal, as well as a reverse proxy. Additionally, there are six functionality modules that enable a range of capabilities for attackers. These modules include a miscellaneous command handler, a credential harvester, repeatable tasks for taking screenshots and recording microphone input, a reconnaissance module for compiling system information, SMBv1 and SSH infectors for penetration and worm-like capabilities.

Researchers have also identified a related ransomware variant named ThunderCrypt, which shares the same underlying codebase and communicates with the same C2 server as StripedFly.