Better late than never. Researchers from the Russian publisher Kaspersky have just announced that they have discovered a very sophisticated malware, StripedFly, which has claimed more than a million victims in five years. The program was initially classified as a simple cryptocurrency miner like so many others.
However, Kaspersky experts explain, it was in fact malware with much broader capabilities, with several malicious modules ranging from Monero mining to discreet spying on victims. StripedFly could thus steal sensitive data such as login credentials, take screenshots on the victim’s device without being detected or even record with the microphone.
Elegant code
It could also communicate with its operators via a built-in Tor connection. And it could be updated through trusted services such as GitLab, for example. Or, summarize the Kaspersky experts, “truly remarkable” efforts. This approach is not common among cybercriminals, they add, highlighting the elegance of its programming and its complexity.
A decidedly intriguing piece of software: the malware uses a custom EternalBlue exploit to infiltrate its victims’ systems. However, as the Russian publisher notes, the first known version of StripedFly including this exploit dates from April 2016. That is to say a year before the leak of EternalBlue, this offensive hacking tool attributed to the NSA, the all-powerful technical agency American intelligence, disclosed by the mysterious Shadow Brokers.
The paw of the NSA
If Kaspersky does not make attribution, the publisher strongly suggests that StripedFly may be another secret NSA tool, pointing out similarities, such as coding style, with other Equation tools, the box NSA toolkit. The icing on the cake: the malware probably generated revenue by mining Monero.
But it was first and foremost a feature intended to mislead. Kaspersky experts note in this regard that the price of the Monero token has fallen significantly since its peak in January 2018. The true objective of the malware remains a mystery, Kaspersky concludes. While warning: the malicious program has certainly succeeded in its mission, which is to remain below the radar for a long time.