StripedFly恶意软件悄然操作5年，感染百万设备

An advanced strain of malware masquerading as a cryptocurrency miner has managed to fly the radar for over five years, infecting no less than one million devices around the world in the process.

根据卡巴斯基的发现，一种伪装成加密货币挖矿程序的高级恶意软件已经成功绕过了监测超过五年，并在此过程中感染了全球不少于一百万台设备。

That's according to findings from Kaspersky, which has codenamed the threat StripedFly, describing it as an "intricate modular framework that supports both Linux and Windows."

这是卡巴斯基的发现，他们将这一威胁命名为StripedFly，并将其描述为一种“复杂的模块化框架，支持Linux和Windows两者”。

The Russian cybersecurity vendor, which first detected the samples in 2017, said the miner is part of a much larger entity that employs a custom EternalBlue SMBv1 exploit attributed to the Equation Group in order to infiltrate publicly-accessible systems.

这家俄罗斯网络安全供应商首次在2017年发现了这些样本，他们表示这个挖矿程序是一个更大实体的一部分，它使用自定义的EternalBlue SMBv1漏洞来渗透公开可访问的系统。

The malicious shellcode, delivered via the exploit, has the ability to download binary files from a remote Bitbucket repository as well as execute PowerShell scripts. It also supports a collection of plugin-like expandable features to harvest sensitive data and even uninstall itself.

通过这个漏洞传递的恶意代码能够从远程Bitbucket存储库下载二进制文件，还能执行PowerShell脚本，同时支持一系列类似插件的可扩展功能，用于收集敏感数据甚至自行卸载。

The platform's shellcode is injected in the wininit.exe process, a legitimate Windows process that's started by the boot manager (BOOTMGR) and handles the initialization of various services.

该平台的恶意代码被注入到wininit.exe进程中，这是一个由引导管理器（BOOTMGR）启动并处理各种服务初始化的合法Windows进程。

"The malware payload itself is structured as a monolithic binary executable code designed to support pluggable modules to extend or update its functionality," security researchers Sergey Belov, Vilen Kamalov, and Sergey Lozhkin said in a technical report published last week.

“恶意软件的负载本身被构建为一个整体的二进制可执行代码，旨在支持可插拔模块以扩展或更新其功能，”安全研究员Sergey Belov、Vilen Kamalov和Sergey Lozhkin在上周发表的一份技术报告中表示。

"It comes equipped with a built-in TOR network tunnel for communication with command servers, along with update and delivery functionality through trusted services such as GitLab, GitHub, and Bitbucket, all using custom encrypted archives."

它配备了一个内置的TOR网络隧道，用于与命令服务器通信，还具备通过GitLab、GitHub和Bitbucket等受信任的服务进行更新和传送的功能，所有这些都使用自定义的加密存档。

Other notable spy modules allow it to gather credentials every two hours, capture screenshots on the victim's device without detection, record microphone input, and start a reverse proxy to execute remote actions.

其他显著的间谍模块使其每两小时收集凭据、在不被察觉的情况下捕获受害者设备的截图、记录麦克风输入，并启动反向代理以执行远程操作。

Upon gaining a successful foothold, the malware proceeds to disable the SMBv1 protocol on the infected host and propagate the malware to other machines using an worming module via both SMB and SSH, using keys harvested on the hacked systems.

获得成功立足点后，恶意软件继续在感染的主机上禁用SMBv1协议，并通过SMB和SSH两种方式使用在被黑客攻击的系统上收集的密钥来传播恶意软件。

StripedFly achieves persistence by either modifying the Windows Registry or by creating task scheduler entries if the PowerShell interpreter is installed and administrative access is available. On Linux, persistence is accomplished by means of a systemd user service, autostarted .desktop file, or by modifying /etc/rc*, profile, bashrc, or inittab files.

StripedFly通过修改Windows注册表或在PowerShell解释器已安装且具有管理权限的情况下创建任务计划程序条目来实现持久性。在Linux上，通过systemd用户服务、自启动的.desktop文件或修改/etc/rc*、profile、bashrc或inittab文件来实现持久性。

Also downloaded is a Monero cryptocurrency miner that leverages DNS over HTTPS (DoH) requests to resolve the pool servers, adding an extra layer of stealth to the malicious activities. It has been assessed that the miner is used as a decoy to prevent security software from discovering the full extent of the malware's capabilities.

还下载了一款Monero加密货币挖矿程序，它利用DNS over HTTPS（DoH）请求解析池服务器，为恶意活动增加了额外的隐秘层。据评估，这个挖矿程序用作幌子，以防止安全软件发现恶意软件功能的全部范围。

In an effort to minimize the footprint, malware components that can be offloaded are hosted as encrypted binaries on various code repository hosting services such as Bitbucket, GitHub, or GitLab.

为了尽量减小足迹，可以卸载的恶意软件组件以加密的二进制形式托管在各种代码存储库托管服务上，例如Bitbucket、GitHub或GitLab。

For instance, the Bitbucket repository operated by the threat actor since June 2018 includes executable files capable of serving the initial infection payload across both Windows and Linux, checking for new updates, and ultimately updating the malware.

例如，威胁演员自2018年6月以来运营的Bitbucket存储库包括能够在Windows和Linux上提供初始感染负载、检查新更新并最终更新恶意软件的可执行文件。

Communication with the command-and-control (C2) server, which is hosted in the TOR network, takes place using a custom, lightweight implementation of a TOR client that is not based on any publicly documented methods.

与托管在TOR网络的C2服务器通信时，使用了自定义的TOR客户端的轻量级实现，该客户端不基于任何公开记录的方法。

"The level of dedication demonstrated by this functionality is remarkable," the researchers said. "The goal of hiding the C2 server at all costs drove the development of a unique and time-consuming project – the creation of its own TOR client."

研究人员表示，“这一功能表现出的奉献度令人印象深刻，”他们说，“以任何代价隐藏C2服务器是这一独特和耗时项目的目标。”

Another striking characteristic is that these repositories act as fallback mechanisms for the malware to download the update files when its primary source (i.e., the C2 server) becomes unresponsive.

另一个引人注目的特点是，当主要来源（即C2服务器）不响应时，这些存储库还充当了恶意软件下载更新文件的备用机制。

Kaspersky said it further uncovered a ransomware family called ThunderCrypt that shares significant source code overlaps with StripedFly barring the absence of the SMBv1 infection module. ThunderCrypt is said to have been used against targets in Taiwan in 2017.

卡巴斯基表示，他们还发现了一款名为ThunderCrypt的勒索软件家族，与StripedFly有重要的源代码重叠，只是没有SMBv1感染模块。据称，ThunderCrypt在2017年曾用于攻击台湾目标。

The origins of StripedFly remain presently unknown, although the sophistication of the framework and its parallels to EternalBlue exhibit all the hallmarks of an advanced persistent threat (APT) actor.

StripedFly的起源目前仍然未知，尽管该框架的复杂性和与EternalBlue的相似之处都显示出了高级持续威胁（APT）行为的特征。

It's worth pointing out that while the Shadow Brokers' leak of the EternalBlue exploit took place on April 14, 2017, the earliest identified version of StripedFly incorporating EternalBlue dates a year back to April 9, 2016. Since the leak, the EternalBlue exploit has been repurposed by North Korean and Russian hacking outfits to spread the WannaCry and Petya malware.

值得指出的是，尽管Shadow Brokers泄露了EternalBlue漏洞的日期为2017年4月14日，但StripedFly的最早版本可以追溯到2016年4月9日。自泄露以来，EternalBlue漏洞已被朝鲜和俄罗斯的黑客组织重新利用，用于传播WannaCry和Petya勒索软件。

That said, there's also evidence that Chinese hacking groups may have had access to some of the Equation Group's exploits before they were leaked online, as disclosed by Check Point in February 2021.

另外，有证据表明，中国的黑客组织在这些漏洞被在线泄露之前可能已经获得了部分等式组织的漏洞，正如2021年2月Check Point所披露的那样。

The similarities to malware associated with the Equation group, Kaspersky said, is also reflected in the coding style and practices resembling those seen in STRAITBIZARRE (SBZ), another cyber espionage platform wielded by the suspected U.S.-linked adversarial collective.

卡巴斯基表示，StripedFly与等式组织相关的恶意软件的相似之处还体现在编码风格和实践上，这些恶意软件与另一款被疑似与美国有关的对手集体所使用的STRAITBIZARRE（SBZ）中所见的相似之处相似。

The development comes nearly two years after researchers from China's Pangu Lab detailed a "top-tier" backdoor called Bvp47 that was allegedly put to use by the Equation Group on more than 287 targets spanning multiple sectors in 45 countries.

这一发展发生在中国盘古实验室的研究人员详细介绍了一款名为Bvp47的“顶级”后门，据称等式组织在45个国家的多个领域的287个目标上使用。

Needless to say, a crucial aspect of the campaign that continues to be a mystery – other than to those who engineered the malware – is its real purpose.

不用说，这次活动的一个关键方面——除了那些设计恶意软件的人之外——仍然是一个谜，即其真正目的是什么。

"While ThunderCrypt ransomware suggests a commercial motive for its authors, it raises the question of why they didn't opt for the potentially more lucrative path instead," the researchers said.

研究人员表示，“虽然ThunderCrypt勒索软件暗示其作者有商业动机，但为什么他们没有选择更有利可图的道路呢，这令人困惑，尤其是考虑到所有相反的证据。”

"It's difficult to accept the notion that such sophisticated and professionally designed malware would serve such a trivial purpose, given all the evidence to the contrary."

“鉴于如此复杂和专业设计的恶意软件会为如此琐碎的目的服务，这一观点难以接受，尤其是考虑到所有相反的证据。”

原文始发于微信公众号（知机安全）：StripedFly恶意软件悄然操作5年，感染百万设备