Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label EternalBlue. Show all posts

StripedFly: Cryptomining Tool Infects 1 Million Targets Worldwide


Security firm Kaspersky Lab has revealed that a cryptominer, which never really generated a hefty crypto amount for its operators, is now a part of a bigger digital espionage campaign. Since 2017, the platform, known as StripedFly, has infected over a million Windows and Linux targets worldwide. StripedFly was most likely developed as a component of a well-funded state espionage program rather than a cybercriminal operation because it is modular and has several components for infiltrating targets' devices and gathering various types of data. Additionally, it has an update system that allows attackers to add new features and upgrades to the malware. 

Among other malware, StripedFly can steal access credentials from targeted systems, and take capture screenshots, obtain databases, private files, movies, or other relevant data, and record audio in real time by breaking into a target's microphone. Interestingly, StripedFly conceals communication and exfiltration between the malware and its command-and-control servers using a novel, proprietary Tor client. 

Additionally, there is a ransomware component that has occasionally been used by attackers. Using a modified version of the infamous EternalBlue exploit that was published by the US National Security Agency, it first infects targets.

While StripFly can steal Monera cryptocurrency, that is only a portion of what it is capable of. The researchers found this out last year and thoroughly examined it before making their results public.

Kaspersky researchers Sergey Belov, Vilen Kamalov, and Sergey Lozhkin wrote in the post, "What we discovered was completely unexpected; the cryptocurrency miner was just one component of a much larger entity."

According to the researchers, the platform is essentially "a hallmark of APT malware" since it has update and delivery capabilities via reliable services like Bitbucket, GitHub, and GitLab—all of which use specially encrypted archives—as well as an integrated Tor network tunnel for communication with command-and-control (C2) servers./ The researchers further notes that discovering the breadth of StripedFly is ‘astonishing,’ taking into account its successful evasion from getting detected in six years. 

How Does StripedFly Operates? 

The main structural component of the malware is a monolithic binary code that could be expanded by the attackers through different pluggable modules. Every module, whether for added functionality or to offer a service, is in charge of setting up and maintaining its own callback function in order to communicate with a C2 server.

The platform initially emerges on a network as a PowerShell that seems to leverage a server message block (SMB) attack, which looks to be a modified variant of EternalBlue. EternalBlue was first discovered in April 2017 and is still a danger to unpatched Windows systems.

Depending on the availability of its PowerShell interpreter and certain privileges made available in the process, the malware uses a variety of methods for persistence. The researchers notes that, "typically, the malware would be running with administrative privileges when installed via the exploit, and with user-level privileges when delivered via the Cygwin SSH server," the researchers wrote.

The functionality modules are wide and varied, giving attackers a range of options that enable them to continuously monitor a victim's network activity. The modules include the Monero cryptominer mentioned earlier, as well as a variety of command handlers, a credential harvester, repeatable tasks that can record microphone input, take screenshots, and carry out other tasks on a scheduled basis, a reconnaissance module that gathers a lot of system data, and SMBv1 and SSH infectors for worming and penetration capabilities.

Malware WannaCry And Vulnerability EternalBlue Remain at Large

 

One specific aspect of malware and one vulnerability continues to develop as security companies have been reconstructing the highest trends in the past weeks that is - WannaCry and EternalBlue. WannaCry spreads quickly since Windows Server Message Block Version 1, also known as EternalBlue, had a vulnerability to a broad flaw. Microsoft had already fixed the vulnerability, CVE-2017-0143 - effectively, shortly before WannaCry was released - with its system update MS17-010.
For example, the security agency Trend Micro claims that WannaCry, trailed by cryptocurrency miners, and Emotet has been the most popular form of malware family found last year. Whereas Emotet was newly disrupted by police departments.

“The one thing that really keeps WannaCry prevalent and active is the fact that it is wormable ransomware,” says Rik Ferguson, vice president of security research at Trend Micro. "Couple that with the fact that Shodan showed me just now that there remain 9,131 internet-facing machines vulnerable to MS17-010 and you quickly begin to understand why it continues to propagate." 

The National Security Agency, which apparently developed the exploit for the SMB v1 flaw, seems to have started the EternalBlue. This exploit was then leaked or robbed by the Shadow Brokers Party in 2017 and eventually obtained and leaked. Two months later, EternalBlue-targeting was released, with many analysts claiming it was created by North Korean hackers, who then might have lost all control of the WannaCry. 

Although WannaCry seems to be the malware frequently detected, it does not imply that it is the most harmful or even most of the devices contain it. Not all such codes are published and even if they are, they don't guarantee success. 

However, everything being favorable, the continued circulation of WannaCry shows that at least some unencrypted devices remain infected. Regrettably, certain unencrypted systems asymptotically decrease, never reaching zero. In 2020, Conficker - a Malware Family that was initially identified as targeting a vulnerability in Microsoft Server - was the 15th largest form of malware by Trend Micro. "Other variants after the first Conficker worm spread to other machines by dropping copies of itself in removable drives and network shares," according to Trend Micro. 

Though ransomware profits may be rising, the most frequently viewed malware in the wild has improved little in recent times from a quantitative point of view. 

The Finnish security company, F-Secure, for example, lists network exploits and file handling errors as the most malicious code attacks in 2020. And the most frequently viewed form of attempted exploit still battles the EternalBlue vulnerability of SMB v1. "There are three different threat detections that contributed to this: Rycon, WannaCry, and Vools," Christine Bejerasco, vice president of security firm F-Secure, Tactical Defense Unit, stated.