Kaspersky cybersecurity researchers recently unearthed an intriguing malware, StripedFly. Initially mistaken as a mere cryptocurrency miner in 2017, StripedFly’s true potential has only recently come to light. This malware can execute remote commands, capture screenshots, and pilfer sensitive data, including passwords. Additionally, it can harness the integrated microphone to record audio, traverse to neighboring endpoints through pilfered credentials, exploit EternalBlue for system infiltration, and even engage in Monero mining.
The Monero Mining Ruse
Monero mining serves as a clever diversion tactic, hampering code analysis efforts.
This stratagem yielded success, with an alleged one million compromised devices. However, uncertainty surrounds this number; only verifiable data pertains to 220,000 Windows infections since February 2022, obtained from a Bitbucket repository created in 2018.
Kaspersky estimates well over a million infections, especially since StripedFly targets both Windows and Linux endpoints.
The masterminds behind this operation remain a mystery. While Kaspersky refrains from labeling it as state-sponsored, it aligns with the characteristics of an Advanced Persistent Threat (APT), often associated with state backing.
Kaspersky’s report highlights the malware’s versatility, functioning as an APT, crypto miner, and even a ransomware group. The Monero cryptocurrency reached its peak value at $542.33 on January 9, 2018, compared to around $10 in 2017, maintaining a value of approximately $150 as of 2023.
Crucially, the mining module is the linchpin enabling this malware to elude detection over an extended period.