Malware thought to be a mere cryptominer was actually a spy platform for both Windows and Linux systems; it already has infected more than 1 million victims.
StripedFly was classified and widely dismissed as a largely ineffective malware for mining crypto when it was first detected in 2017. But since then, it has actually been operating as an intricate piece of modular malware that allows attackers to achieve persistence on networks and comprehensive visibility into their activity, as well as exfiltrate credentials and other data at will, researchers from Kaspersky revealed in a blog post published Oct. 26.
While StripedFly can indeed mine Monero cryptocurrency, that’s just the tip of the iceberg for its capabilities — something the researchers discovered last year and investigated thoroughly before releasing their findings publicly.
Overall, the platform appears to be “a hallmark of APT malware” that includes a built-in Tor network tunnel for communication with command-and-control (C2) servers, along with update and delivery functionality through trusted services such as GitLab, GitHub, and Bitbucket, all using custom encrypted archives, they revealed.
Moreover, StripedFly appears to have already infected more than 1 million systems based on updates the researchers obtained from a Bitbucket repository associated with the malware and created on June 21, 2018, under the account of someone using the name Julie Heilman.
The researchers said the discovery of the breadth of StripedFly is “astonishing,” especially given that it has successfully evaded detection for some six years.