More than a million Windows and Linux systems have been compromised by the sophisticated StripedFly malware framework between 2017 and 2022, according to BleepingComputer.
Aside from having advanced mechanisms for hiding TOR-based traffic and automated updates, StripedFly also included worm functionality and a custom exploit for an EternalBlue SMBv1 flaw, a report from Kaspersky revealed.
Attacks with StripedFly targeted Windows' WININIT.EXE process to inject shellcode that facilitates the execution of additional files, which would trigger the final payload. Malware modules distributed by StripedFly, which has been associated with ThunderCrypt ransomware, enabled encrypted malware configuration storage, update management, reverse proxies, sensitive data scanning and exfiltration, repeatable tasks, command execution, and Monero mining, as well as the utilization of exfiltrated SSH credentials and the EternalBlue exploit to allow further system compromise.
"The malware payload encompasses multiple modules, enabling the actor to perform as an APT, as a crypto miner, and even as a ransomware group... Kaspersky experts emphasize that the mining module is the primary factor enabling the malware to evade detection for an extended period," said researchers.
Widespread StripedFly malware framework compromise reported in Windows, Linux systems
More than a million Windows and Linux systems have been compromised by the sophisticated StripedFly malware framework between 2017 and 2022, according to BleepingComputer.
Misconfigured Magento or OpenCart instances may have been targeted to facilitate the deployment of Mongolian Skimmer, which uses various event-handling methods to ensure extensive compatibility while hiding malicious activity with heavy Unicode character utilization.
Malicious GitHub pages and YouTube videos containing links for purported cracked office software, automated trading bots, and game cheats, have been leveraged to facilitate the download of self-extracting password-protected archives.