Spy platform StripedFly poses as crypto miner, stealing billions from crypto investors since at least 2017

The price of Bitcoin has experienced a roller-coaster ride over the past two years, fluctuating from its peak of $69,000 a few years back to $34,000 at the time of this writing. But that has stopped crypto enthusiasts from venturing into mining their own digital currency.

However, this path to cryptocurrency riches has not been without its pitfalls. Many crypto enthusiasts have unwittingly fallen prey to deceptive websites that pose as legitimate crypto mining platforms, only to discover that they are in fact spyware sites. The most recent case in point is StripedFly, a highly sophisticated spy platform that masqueraded as a cryptocurrency miner infecting over a million individuals globally, according to a new report from cybersecurity firm Kaspersky Lab.

According to researchers at Kaspersky Lab, who first discovered the StripedFly malware on customer systems back in August 2017, the malicious software was engineered to steal sensitive data, encompassing passwords, financial information, and even classified government secrets. The stolen data was sent back to the attackers’ servers, opening the door to a range of nefarious activities including identity theft, financial fraud, and espionage.

“In 2022, Kaspersky’s Global Research and Analysis Team encountered two unexpected detections within the WININIT.EXE process, triggered by the code sequences that were earlier observed in the Equation malware. StripedFly activity had been ongoing since at least 2017 and had effectively evaded prior analysis, previously being misclassified as a cryptocurrency miner. After conducting a comprehensive examination of the issue, it was discovered that the cryptocurrency miner was merely a component of a much larger entity – a complex, multi-platform, multi-plugin malicious framework,” Kaspersky Lab reported.

The creators of StripedFly carefully disguised the malware as a legitimate cryptocurrency mining application, enabling it to evade detection by security experts and antivirus programs for an extended period.

Upon infiltrating a victim’s computer, StripedFly appeared to engage in cryptocurrency mining on behalf of the attackers. Yet, this ruse concealed its true objective: conducting surveillance on victims and absconding with their personal data.

Initially, the researchers didn’t attribute much significance to the malware. They believed it to be a cryptocurrency miner created by cybercriminals, yet not a very successful one at that. In 2017, it only managed to generate $10 by mining Monero cryptocurrency and approximately $500 in 2018.

However, when newer samples of the miner surfaced last year on machines belonging to government agencies and large commercial organizations worldwide—untypical targets for cryptocurrency miners—Kaspersky researchers decided to delve deeper into the matter.

Further inspection revealed that the miner was, in fact, a front for a highly sophisticated spy platform that has infected over a million victims globally since 2017. In 2023, Kaspersky Lab researchers uncovered and unveiled StripedFly. Despite its exposure, the malware had already inflicted an estimated billions of dollars in damages.

This revelation of StripedFly serves as a stark reminder that cybercriminals continuously evolve their tactics, unveiling increasingly sophisticated methods to target their victims. It underscores the vital need for heightened vigilance regarding cybersecurity and emphasizes the importance of taking proactive measures to safeguard devices and sensitive data.

Sergey Lozhkin, principal security researcher at Kaspersky’s Global Research and Analysis Team, stated that Kaspersky software initially detected something malicious within the WININIT.EXE process on customer computers. This triggered investigation due to code sequences akin to malware previously utilized by the NSA’s Equation Group hackers. This led them to connect it back to their 2017 discovery of the cryptocurrency miner.

This cryptocurrency miner is just one facet of a larger and intricate platform known as StripedFly. It is intended for use on both Windows and Linux-based systems and incorporates numerous plugins providing the attackers with expansive spying capabilities. While such functionality is typical in nation-state spying platforms, it’s not common in criminal malware, which was the initial misconception held by the researchers regarding the cryptocurrency miner.

According to Lozhkin, StripedFly displays certain resemblances to Equation Group malware, with coding style and practices bearing similarities to an NSA implant referred to as STRAITBIZARRE, disclosed during the Edward Snowden leaks in 2013. Despite these parallels, researchers emphasize that there’s “no direct evidence establishing their connection” or confirming StripedFly as an NSA platform.

However, Lozhkin notes, “The amount of effort invested in creating this framework is truly remarkable, and its unveiling was quite astonishing.” His team had previously shared details about StripedFly in a private technical report last year but intends to publicly present their findings for the first time on Thursday at the company’s Security Analyst Summit in Thailand, Kim Zetter wrote on Medium.