StripedFly reclassified from petty larceny to APT.
the cyberwire logoOct 27, 2023

Not all unwanted programs are what they appear to be. (You knew that, but in this case a major threat poses as a minor nuisance.)

StripedFly reclassified from petty larceny to APT.

In espionage, it can pay to be underestimated. That appears to be the case with the StripedFly cryptominer, which has turned out not to be what it seemed.

StripedFly is an espionage operation masquerading as a cryptominer.

Kim Zetter reports, in her Zero Day newsletter, that the StripedFly cryptominer has turned out to be more malign than hitherto believed. When Kaspersky discovered it in 2017, they wrote it off as a simple piece of criminal malware, designed for cryptomining. They also wrote it off as uninteresting and unsuccessful, yielding its proprietors nothing more than chump change. All they got from mining Monero alt-coin came to just ten bucks in 2017, and only $500 in 2018. Not enough to interest even a spoiled script kiddie.

Apparently, however, StripedFly was actually interested in collecting information, not cryptocurrency. Kaspersky "discovered the miner was actually a cover for a sophisticated spy platform that has infected more than one million victims around the world since 2017."

StripedFly seems, rather, to be a carefully designed espionage toolset that masked itself as an uninteresting, stumblebum criminal operation. Zetter explains: "The spy components include ones for harvesting credentials from infected machines; for siphoning .PDFs, videos, databases and other valuable files; grabbing screenshots; and recording conversations through an infected system’s microphone. The platform also has an updating function that lets the attackers push out new versions of it whenever Windows and Linux operating systems get updated. The malware gets pushed out from encrypted archives stored on GitLab, GitHub, and Bitbucket."

No attribution, but the malware in use has a provenance in espionage.

StripedFly gains initial access to its targets through a variant of EternalBlue, an exploit attributed to an actor Kaspersky tracks as the Equation Group. Kaspersky studiously avoids attribution to nation-state services, but the Equation Group is widely believed to be associated with the US National Security Agency. EternalBlue was blown by the ShadowBrokers in April of 2017, a month after Microsoft patched the vulnerability the malware was designed to support. Since then other services, notably China's Ministry of State Security, have used variants of EternalBlue, but it's not at all clear who's responsible for StripedFly. It does seem clear, however, that it's an espionage operation, and not a low-grade criminal caper.

It's commonplace for a malicious actor to pose as something benign. It's more unusual for an espionage service to pose as a petty criminal.

StripedFly has enjoyed a surprisingly long run.

According to Colin Little, Security Engineer at Centripetal, "It's rare that a malware framework is so long-lived and has such wide proliferation. Threat intelligence can absolutely play a role in things like detecting or preventing TOR-based C2 and cryptocurrency mining, along with identifying systems sourcing this network traffic. The technical analysis of the malware empowers the enterprise to monitor for other network and endpoint-based indicators of compromise, such as use of Powershell."