StripedFly Malware

Kaspersky recently uncovered an advanced strain of malware called StripedFly that has managed to evade detection for over five years, infecting one million devices worldwide in the process. The malware is part of a larger entity employing a custom EternalBlue SMBv1 exploit attributed to the Equation Group in order to infiltrate publicly-accessible systems. StripedFly employs a built-in TOR network tunnel for communication with command servers and utilizes trusted services such as GitLab, GitHub, and Bitbucket for updates and delivery. The malware achieves persistence by modifying the Windows Registry or creating task scheduler entries if the PowerShell interpreter is installed and administrative access is available.

The malicious shellcode, delivered via the exploit, has the ability to download binary files from a remote Bitbucket repository as well as execute PowerShell scripts. It also supports a collection of plugin-like expandable features to harvest sensitive data and even uninstall itself.

The platform's shellcode is injected in the wininit.exe process, a legitimate Windows process that's started by the boot manager (BOOTMGR) and handles the initialization of various services. "The malware payload itself is structured as a monolithic binary executable code designed to support pluggable modules to extend or update its functionality," security researchers Sergey Belov, Vilen Kamalov, and Sergey Lozhkin said in a technical report published last week.

StripedFly also comes equipped with a built-in TOR network tunnel for communication with command servers, along with update and delivery functionality through trusted services such as GitLab, GitHub, and Bitbucket, all using custom encrypted archives.

Notable spy modules include the ability to gather credentials every two hours, capture screenshots on the victim's device without detection, record microphone input, and start a reverse proxy to execute remote actions. Upon gaining a successful foothold, the malware proceeds to disable the SMBv1 protocol on the infected host and propagate the malware to other machines using an worming module via both SMB and SSH, using keys harvested on the hacked systems.

StripedFly achieves persistence by either modifying the Windows Registry or by creating task scheduler entries if the PowerShell interpreter is installed and administrative access is available. On Linux, persistence is accomplished by means of a systemd user service, autostarted .desktop file, or by modifying /etc/rc*, profile, bashrc, or inittab files.

In an effort to minimize the footprint, malware components that can be offloaded are hosted as encrypted binaries on various code repository hosting services such as Bitbucket, GitHub, or GitLab. Communication with the command-and-control (C2) server, which is hosted in the TOR network, takes place using a custom, lightweight implementation of a TOR client that is not based on any publicly documented methods.

Another striking characteristic is that these repositories act as fallback mechanisms for the malware to download the update files when its primary source (i.e., the C2 server) becomes unresponsive. Kaspersky said it further uncovered a ransomware family called ThunderCrypt that shares significant source code overlaps with StripedFly barring the absence of the SMBv1 infection module.

The origins of StripedFly remain unknown, although the sophistication of the framework and its parallels to EternalBlue exhibit all the hallmarks of an advanced persistent threat (APT) actor. It's worth pointing out that while the Shadow Brokers' leak of the EternalBlue exploit took place on April 14, 2017, the earliest identified version of StripedFly incorporating EternalBlue dates a year back to April 9, 2016.

Mind Map