A piece of malware disguised as the StripedFly cryptocurrency miner helped it avoid detection for more than five years.
According to Kaspersky, this malware has infected more than 1 million computers running Windows and Linux operating systems globally since 2016. Researchers began investigating this malware last year when they noticed the software. flagged detections in WINNIT.exe, a program that helps the Windows operating system start.
Subsequent findings point to StripedFly, which was initially classified as a cryptocurrency miner. But on closer inspection, Kaspersky found that the exploit was just one component of more complex malware, using techniques believed to be from the US National Security Agency (NSA). StripedFly incorporated EternalBlue, the infamous exploit developed by the NSA, which was later leaked and used in the WannaCry ransomware attack to infect hundreds of thousands of Windows machines in 2017.
StripedFly uses the EternalBlue attack to penetrate unpatched Windows systems and silently spread across computer networks including systems running Linux. This malware can collect sensitive data from infected computers, such as login information and personal data.
Furthermore, this malware can also take screenshots on the device without being detected, gain significant control over the device, and even record audio from the microphone.
To avoid detection, StripedFly authors added a cryptocurrency mining module to prevent detection by antivirus systems. Kaspersky said that periodically, the malware will monitor the mining process and restart if necessary. It also sends a lot of reporting information such as working time, number of undetected times, and error statistics to the control server.
It is still unclear who developed StripedFly, although this malware contains an attack module originating from the NSA, the agency’s EternalBlue exploit was leaked in April 2017 through the Shadow Brokers group.
Although Microsoft released a patch for EternalBlue in March 2017, many Windows systems failed to install it, allowing StripedFly to take advantage of the infection over the years.
