A malware that for more than half a decade was written off as just another cryptominer actually was a stealthy and sophisticated threat that infected more than a million Windows and Linux systems, harvesting credentials and spying on users.

Kaspersky researchers began looking into the StripedFly malware last year after detecting older code in the Wininit.exe process, a legitimate process in the Windows operating system that initializes critical system services and drivers upon startup.

The investigation into the code raised almost as many questions as it answered.

“What we discovered was completely unexpected; the cryptocurrency miner was just one component of a much larger entity,” researchers Sergey Belov, Vilen Kamalov, and Sergey Lozhkin wrote in a report this week.

The larger entity is a complex advanced persistent threat (APT) malware that uses the Monero cryptominer – while a legitimate function – as a diversion from the multiple other modules it runs.

“The malware payload encompasses multiple modules, enabling the actor to perform as an APT, as a crypto miner, and even as a ransomware group,” the researchers wrote. “Kaspersky experts emphasize that the mining module is the primary factor enabling the malware to evade detection for an extended period.”

That the extended period stretched for years, during which time “it had effectively evaded analysis and had previously been misclassified as a cryptocurrency miner. However, while it was in fact serving that purpose, that wasn’t its main objective,” they wrote.

Enter EternalBlue

The investigation into the malware uncovered a custom variant of the EternalBlue SMBv1, an exploit that became famous as part of the WannaCry ransomware attacks in 2017. It’s unclear where StripedFly came from. The particular EternalBlue code was made public that same year by the Shadow Brokers group, but the earliest detection of StripedFly came in April 2016, suggesting some link between the creators of

StripedFly used the EternalBlue exploit to get into targeted systems.

“What set this particular worm apart from other malware that used EternalBlue was its distinctive propagation pattern,” the researchers wrote. “It spread quietly, allowing it to avoid detection by most security solutions.”

Once in the system, the malware executes downloads files from legitimate services like GitHub, GitLab, and Bitbucker and runs PowerShell scripts.

StripedFly’s payload includes a lightweight Tor network client that keeps its communication with the command-and-control (C2) servers from being detected, a framework that includes plugin-like modules that the bad actors can use to expand and update its functionality, and the ability to disable the SMBv1 protocol from the infected system.

The malware can then spread to other Windows systems and well as Linux devices on the network not only via the EternalBlue exploit but also on the SSH protocol using keys on the victim’s system.

Multiple Modules

StripedFly then uses multiple methods for establishing persistence on the machine, depending on the availability of the PowerShell interpreter and the privileges granted to the process, according to the Kaspersky researchers, adding that “typically, the malware would be running with administrative privileges when installed via the exploit, and with user-level privileges when delivered via the Cygwin SSH server.”

Absent that, there are other ways the malware keeps persistence. That includes on Linux machines, where it may use system or users’ system service or other methods.

The Bitbucket repository used to deliver the payload on Windows systems was created in June 2018 under the name “Julie Heilman.” The file was last updated in February 2022, with the number of initial infections sitting at 160,000, though that dropped to 60,000 by last month.

However, the researchers said that based on the download counters displayed by the repository hosting the malware, they estimated the number of victims at more than a million.

The multiple modules in the malware enables the threat actor to operate not only as a cryptominer and APT, but also as a ransomware group, according to Kaspersky. Among the capabilities in the modules are the ability to remotely take actions on an infected network, take screenshots, record microphone input, retrieve system details, harvest credentials, and send information to the C2 server.

ThunderCrypt Ransomware

Kaspersky also came across a related ransomware variant called ThunderCrypt that shares the same codebase with StripedFly and communicates with the same C2 server. The ransomware first appeared in April 2017, with most of the activity behind it happening a month later.

Despite all the details the researchers pulled from StripedFly, there are still questions, they wrote. Key among them is, what was the purpose of the malware.

“That remains a mystery,” they wrote. “While ThunderCrypt ransomware suggests a commercial motive for its authors, it raises the question of why they didn’t opt for the potentially more lucrative path instead. The prevailing narrative often centers around ransomware actors collecting anonymous ransoms, but this case seems to defy the norm.”

They added that “only those who crafted this enigmatic malware hold the answer. It’s difficult to accept the notion that such sophisticated and professionally designed malware would serve such a trivial purpose, given all the evidence to the contrary.”