StripedFly: Unmasking the Cryptocurrency Miner with a Hidden Agenda

Cryptocurrency mining malware is nothing new in the world of cybersecurity. These stealthy parasites often infiltrate systems and steal computing power for profit. But what if we told you that behind the façade of a run-of-the-mill cryptocurrency miner lies a highly sophisticated and enigmatic malware known as StripedFly? Let’s unveil the mysteries of StripedFly, a malware that has successfully flown under the radar for years, thanks to its intricate modular framework, its use of the TOR network, and its unique propagation patterns. We will delve into how StripedFly started, its intricate infection methods, its persistence mechanisms, and its modular structure, including the Monero cryptocurrency mining module.

The Deceptive Beginning StripedFly

StripedFly was discovered in 2022, initially mistaken for a run-of-the-mill cryptocurrency miner. However, further analysis uncovered a complex and deceptive malware with a hidden agenda. Its infection begins within the WININIT.EXE process, allowing it to download binary files and execute PowerShell scripts. Its use of a custom SMBv1 exploit similar to EternalBlue was a key discovery. StripedFly employs various methods to maintain persistence, adapting to the availability of the PowerShell interpreter and the privileges granted to the process. It registers itself in the system’s registry and hidden directories, ensuring it remains active.

To minimize its footprint, StripedFly stores elements in encrypted and compressed custom binary archives hosted on legitimate websites. These archives masquerade as firmware binaries for “m100” devices, concealed within a Bitbucket repository created in 2018. Its command and control (C2) server resides within the TOR network. The malware communicates with the C2 server through a unique and lightweight TOR client, maintaining its stealth.

StripedFly
Infection flow on Windows

The Modular Structure of StripedFly

StripedFly’s modular structure distinguishes it as an advanced threat. It comprises service modules and functionality modules, each assigned specific tasks.

Service Modules:

  • Configuration Storage: Securely holds malware configurations, with variations for Windows and Linux versions.
  • Upgrade/Uninstall: Manages updates and uninstallation procedures.
  • Reverse Proxy: Grants remote access to the victim’s network for executing actions on their behalf.

Functionality Modules:

  • Miscellaneous Command Handler: Offers various commands to interact with the victim’s system, capture screenshots, retrieve system information, and execute shellcode.
  • Credential Harvester: Collects sensitive data, including website login credentials, autofill information, and credentials from popular software clients.
  • Repeatable Tasks: Executes specific tasks, such as taking screenshots, running processes, and recording microphone input.
  • Recon Module: Gathers extensive system information and transmits it to the C2 server.
  • SMBv1 and SSH Infectors: Dedicated modules for penetrating systems using custom exploits.

Mining Module and Indicators of Compromise

StripedFly includes a Monero mining module, operating in a separate process. It camouflages itself as a legitimate Chrome executable, effectively evading detection.

There are various indicators that reflect the compromise some of them are C2 servers, URLs, and file hashes.

StripedFly is a complex and enigmatic malware that has successfully evaded detection for years. Its true purpose remains a mystery, as it combines advanced functionality with a focus on Monero mining. While motives are unclear, StripedFly highlights the need for vigilance and robust security practices in combating advanced cyber threats.

For more news and updates on Cybersecurity, visit The Cybersecurity Club.

Post navigation

Leave a Reply

Your email address will not be published. Required fields are marked *

Cornell’s AI Model Raises Concerns for Cyberworld with Audio-Based Keyboard Attacks

HelloKitty Ransomware Source Code Leaked by Threat Actor

Hot Pixels Attack: Revealing Browser History Through Processor Exploitation

3CX Updates Security With Updated Windows Desktop App In Wake of Supply Chain Attack