Widespread StripedFly malware framework compromise reported in Windows, Linux systems

More than a million Windows and Linux systems have been compromised by the sophisticated StripedFly malware framework between 2017 and 2022, according to BleepingComputer. Aside from having advanced mechanisms for hiding TOR-based traffic and automated updates, StripedFly also included worm functionality and a custom exploit for an EternalBlue SMBv1 flaw, a report from Kaspersky revealed. Attacks with StripedFly targeted Windows' WININIT.EXE process to inject shellcode that facilitates the execution of additional files, which would trigger the final payload. Malware modules distributed by StripedFly, which has been associated with ThunderCrypt ransomware, enabled encrypted malware configuration storage, update management, reverse proxies, sensitive data scanning and exfiltration, repeatable tasks, command execution, and Monero mining, as well as the utilization of exfiltrated SSH credentials and the EternalBlue exploit to allow further system compromise. "The malware payload encompasses multiple modules, enabling the actor to perform as an APT, as a crypto miner, and even as a ransomware group... Kaspersky experts emphasize that the mining module is the primary factor enabling the malware to evade detection for an extended period," said researchers.