Security News > 2023 > October > StripedFly malware framework infects 1 million Windows, Linux hosts

A sophisticated cross-platform malware platform named StripedFly flew under the radar of cybersecurity researchers for five years, infecting over a million Windows and Linux systems during that time.
Kaspersky discovered the true nature of the malicious framework last year, finding evidence of its activity starting in 2017, with the malware wrongly classified as just a Monero cryptocurrency miner.
While it's unclear if this malware framework was utilized for revenue generation or cyber espionage, Kaspersky says its sophistication indicates that this is an APT malware.
The StripedFly malware framework was first discovered after Kaspersky found the platform's shellcode injected in the WININIT.EXE process, a legitimate Windows OS process that handles the initialization of various subsystems.
The final StripedFly payload features a custom lightweight TOR network client to protect its network communications from interception, the ability to disable the SMBv1 protocol, and spread to other Windows and Linux devices on the network using SSH and EternalBlue.
The malware's command and control server is on the TOR network, and communication with it involves frequent beacon messages containing the victim's unique ID. For persistence on Windows systems, StripedFly adjusts its behavior based on the level of privileges it runs on and the presence of PowerShell.
News URL
Related news
- FINALDRAFT Malware Exploits Microsoft Graph API for Espionage on Windows and Linux (source)
- New Microsoft script updates Windows media with bootkit malware fixes (source)
- LightSpy Expands to 100+ Commands, Increasing Control Over Windows, macOS, Linux, and Mobile (source)
- New Linux Malware ‘Auto-Color’ Grants Hackers Full Remote Access to Compromised Systems (source)
- Seven Malicious Go Packages Found Deploying Malware on Linux and macOS Systems (source)
- Steam pulls game demo infecting Windows with info-stealing malware (source)
- EncryptHub Exploits Windows Zero-Day to Deploy Rhadamanthys and StealC Malware (source)
- APT36 Spoofs India Post Website to Infect Windows and Android Users with Malware (source)