StripedFly: A new threat with advanced code and tracking capabilities

Kaspersky experts have unearthed an unknown but highly sophisticated malware, StripedFly, which has made its presence felt with over one million cyber attacks worldwide. Initially operating as a cryptocurrency miner, it turned out to be a complex malware with a sophisticated way of working.

In 2022, Kaspersky's Global Research and Analysis Team while running WININIT.EXE identified two unexpected findings. This was caused by code sequences similar to those observed in the case of the Equation malware. Since 2017, when it had started this activity, StripedFly had managed to go undetected, having been incorrectly categorized as a cryptocurrency miner. After a thorough investigation, it turned out that the cryptocurrency miner was just a piece of a much more complex threat.

This malware can appear either as an APT-type threat, a crypto miner or even a malware system. Thus, due to its complexity, multiple incentives are created for would-be perpetrators. At the same time, it is worth noting that the cryptocurrency Monero, resulting from this operation, reached $542.33 (its highest value) on 9 January 2018, compared to its 2017 value of around $10. Over the course of this year its value has fluctuated around $150. Kaspersky experts stress that the primary reason why the malware had not been detected was its function as a crypto miner.

In addition, the perpetrator gains the ability to monitor users who have been infected with the malware. The malware can collect sensitive personal data every two hours, such as passwords or even the name, address, phone number, company and even the job title of the victim. In addition, it can take screenshots, gain control of the system and even open the device's microphone at will without being detected.

All these capabilities were unknown until Kaspersky's investigation, which revealed the use of the personalised exploit ''EternalBlue SMBv1'' aimed at gaining access to the victim's system. The threat remains significant as many users have not updated their systems, despite Microsoft releasing a patch (named MS17-010), with the EternalBlue vulnerability being known to the public since 2017.

In the technical analysis of the Kaspersky investigation, experts observed similarities with the Equation malware, as the technical features, coding style and applied practices have many similarities with the StraitBizzare (SBZ) malware. Based on the count of downloads in which the malware was installed, the estimated number of StripedFly targets reached over one million victims worldwide.

To avoid becoming a victim of a targeted attack from any threat actor, Kaspersky researchers recommend implementing the following measures:

• Regularly update your operating system, applications and antivirus software.
• Be wary of emails, messages or calls that ask for sensitive information. Check the identity of the sender before sharing any personal information or clicking on suspicious links.
• Provide your team with access to new data on threat intelligence (TI). Kaspersky Threat Intelligence Portal is an ideal application for any business, providing all the expertise and data that Kaspersky has collected over the last two decades.
• Educate your enterprise IT team with Kaspersky online training developed by GReAT experts.
• For endpoint-level incident detection, investigation and timely remediation, implement EDR solutions such as Kaspersky Endpoint Detection and Response