Home
Forums
New posts
Search forums
What's new
New posts
New profile posts
Latest activity
Members
Current visitors
New profile posts
Search profile posts
Log in
Register
What's new
Search
Search
Search titles only
By:
New posts
Search forums
Menu
Log in
Register
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Reply to thread
Home
Forums
CARDING & HACKING
Carding News
The StripedFly mining worm has spying capabilities and infected more than a million systems
Message
<blockquote data-quote="Plotu" data-source="post: 454" data-attributes="member: 5"><p>Researchers have discovered a previously unknown and complex StripedFly malware. Since 2017, its victims have been more than a million users worldwide, and it is still used (although less actively). Previously, it was believed that malware is a regular miner, but it turned out that this is a complex threat with a multifunctional workable framework.</p><p></p><p>Kaspersky Lab experts say that in 2022, two incidents were detected using StripedFly. Both turned out to be related to a system process wininit.exe in Windows, in which the code sequence that was previously used in the malvari Equation was noticed.</p><p></p><p><img src="https://ver.ae/imagehosting/2023/10/27/e487998874.jpg" alt="e487998874.jpg" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p><em>StripedFly attack scheme</em></p><p></p><p>The analysis showed that the malicious code downloaded and executed additional files (for example, PowerShell scripts) from legitimate hosting services, including Bitbucket, GitHub, and GitLab.</p><p></p><p>Although the activity of the samples found continued at least since 2017, it was not immediately thoroughly studied, since it was initially mistaken for a regular cryptocurrency miner. Only after a comprehensive study, it turned out that the miner is only part of a more complex multi — platform structure with many plugins.</p><p></p><p>The researchers came to the conclusion that many modules allow attackers to use StripedFly as part of APT attacks, like a cryptocurrency miner or even a ransomware program. Accordingly, the list of possible motives of intruders is significantly expanded-from financial gain to espionage.</p><p></p><p>At the same time, the report notes that the value of the Monero cryptocurrency extracted using the malicious module reached $ 542.33 at its peak on January 9, 2018 (for comparison, in 2017 its price was about $ 10). Now, in 2023, the value of the cryptocurrency is kept at the level of $ 150.</p><p></p><p>The use of the miner is considered by researchers as a red herring, and the main goals of intruders are data theft and hacking systems using other modules. Moreover, the module for mining is a key factor, because of which the threat was not fully detected for a long time.</p><p></p><p>In addition to mining, attackers have many opportunities to covertly spy on victims. Malware collects credentials every two hours: This can include usernames and passwords for logging in to the site or connecting to Wi-Fi, or personal data of a person, including name, address, phone number, place of work and position. StripedFly can also discreetly take screenshots on the victim's device, gain full control over it, and even record voice data from the microphone.</p><p></p><p>Interestingly, the source of the initial infection remained unknown for a long time. Further investigation revealed that the attackers were using their own implementation of the EternalBlue "SMBv1" exploit for this purpose.</p><p></p><p>So, the final StripedFly payload (system.img) includes a custom lightweight Tor client to protect network communications from interception (the control server is located in Tor), can disable the SMBv1 protocol, and can also be distributed to other devices running Windows and Linux using SSH and the already mentioned EternalBlue exploit.</p><p></p><p>The Bitbucket repository, which delivers the last stage payload to Windows systems, shows that about 60,000 infections were made from April 2023 to September 2023.</p><p></p><p><img src="https://ver.ae/imagehosting/2023/10/27/65045b35b1.jpg" alt="65045b35b1.jpg" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p></p><p>According to experts, since February 2022, StripedFly has infected at least 220,000 Windows systems, but statistics for an earlier period are not available, and the repository itself was created in 2018. As a result, according to the researchers, StripedFly has already infected at least a million devices in total.</p><p></p><p>It is also worth noting that the researchers found a connection between StripedFly and the old ThunderCrypt cryptographer, which appeared back in 2017. In particular, both malware programs use the same codebase and interact with the same management server located at ghtyqipha6mcwxiz [.] onion:1111.</p><p></p><p>In terms of functionality and a set of modules, ThunderCrypt turned out to be surprisingly similar to StripedFly. Here, too, there is a Tor client, a configuration repository, a malware update/removal module, and a module for conducting intelligence. There is only one notable exception — the absence of the SMBv1 infection module.</p><p></p><p>"What is the true purpose of [StripedFly]? This remains a mystery. Although the ThunderCrypt ransomware suggests a financial motive for its authors, one wonders why they didn't choose a more lucrative path. Usually, ransomware authors collect anonymous ransoms, but this case seems to be an exception.</p><p></p><p>The question remains open, and only the people who created this mysterious malware know the answer. It is difficult to accept the idea that such sophisticated and professionally designed malware can serve such trivial purposes, given that all the evidence suggests otherwise," the analysts conclude.</p></blockquote><p></p>
[QUOTE="Plotu, post: 454, member: 5"] Researchers have discovered a previously unknown and complex StripedFly malware. Since 2017, its victims have been more than a million users worldwide, and it is still used (although less actively). Previously, it was believed that malware is a regular miner, but it turned out that this is a complex threat with a multifunctional workable framework. Kaspersky Lab experts say that in 2022, two incidents were detected using StripedFly. Both turned out to be related to a system process wininit.exe in Windows, in which the code sequence that was previously used in the malvari Equation was noticed. [IMG alt="e487998874.jpg"]https://ver.ae/imagehosting/2023/10/27/e487998874.jpg[/IMG] [I]StripedFly attack scheme[/I] The analysis showed that the malicious code downloaded and executed additional files (for example, PowerShell scripts) from legitimate hosting services, including Bitbucket, GitHub, and GitLab. Although the activity of the samples found continued at least since 2017, it was not immediately thoroughly studied, since it was initially mistaken for a regular cryptocurrency miner. Only after a comprehensive study, it turned out that the miner is only part of a more complex multi — platform structure with many plugins. The researchers came to the conclusion that many modules allow attackers to use StripedFly as part of APT attacks, like a cryptocurrency miner or even a ransomware program. Accordingly, the list of possible motives of intruders is significantly expanded-from financial gain to espionage. At the same time, the report notes that the value of the Monero cryptocurrency extracted using the malicious module reached $ 542.33 at its peak on January 9, 2018 (for comparison, in 2017 its price was about $ 10). Now, in 2023, the value of the cryptocurrency is kept at the level of $ 150. The use of the miner is considered by researchers as a red herring, and the main goals of intruders are data theft and hacking systems using other modules. Moreover, the module for mining is a key factor, because of which the threat was not fully detected for a long time. In addition to mining, attackers have many opportunities to covertly spy on victims. Malware collects credentials every two hours: This can include usernames and passwords for logging in to the site or connecting to Wi-Fi, or personal data of a person, including name, address, phone number, place of work and position. StripedFly can also discreetly take screenshots on the victim's device, gain full control over it, and even record voice data from the microphone. Interestingly, the source of the initial infection remained unknown for a long time. Further investigation revealed that the attackers were using their own implementation of the EternalBlue "SMBv1" exploit for this purpose. So, the final StripedFly payload (system.img) includes a custom lightweight Tor client to protect network communications from interception (the control server is located in Tor), can disable the SMBv1 protocol, and can also be distributed to other devices running Windows and Linux using SSH and the already mentioned EternalBlue exploit. The Bitbucket repository, which delivers the last stage payload to Windows systems, shows that about 60,000 infections were made from April 2023 to September 2023. [IMG alt="65045b35b1.jpg"]https://ver.ae/imagehosting/2023/10/27/65045b35b1.jpg[/IMG] According to experts, since February 2022, StripedFly has infected at least 220,000 Windows systems, but statistics for an earlier period are not available, and the repository itself was created in 2018. As a result, according to the researchers, StripedFly has already infected at least a million devices in total. It is also worth noting that the researchers found a connection between StripedFly and the old ThunderCrypt cryptographer, which appeared back in 2017. In particular, both malware programs use the same codebase and interact with the same management server located at ghtyqipha6mcwxiz [.] onion:1111. In terms of functionality and a set of modules, ThunderCrypt turned out to be surprisingly similar to StripedFly. Here, too, there is a Tor client, a configuration repository, a malware update/removal module, and a module for conducting intelligence. There is only one notable exception — the absence of the SMBv1 infection module. "What is the true purpose of [StripedFly]? This remains a mystery. Although the ThunderCrypt ransomware suggests a financial motive for its authors, one wonders why they didn't choose a more lucrative path. Usually, ransomware authors collect anonymous ransoms, but this case seems to be an exception. The question remains open, and only the people who created this mysterious malware know the answer. It is difficult to accept the idea that such sophisticated and professionally designed malware can serve such trivial purposes, given that all the evidence suggests otherwise," the analysts conclude. [/QUOTE]
Name
Verification
Post reply
Home
Forums
CARDING & HACKING
Carding News
The StripedFly mining worm has spying capabilities and infected more than a million systems
Top