A powerful piece of malware has been disguising itself as a trivial cryptocurrency miner to help it evade detection for more than five years, according to antivirus provider Kaspersky.
This so-called “StripedFly” malware has infected over 1 million Windows and Linux computers around the globe since 2016, Kaspersky says in a report released today.
The company’s security researchers began investigating the threat last year when they noticed Kaspersky’s antivirus products flagging two detections in WINNIT.exe, which helps the Windows OS start up.
The detections were then traced to StripedFly, which was originally classified as a cryptocurrency miner. But upon further examination, Kaspersky’s researchers noticed the miner is merely one component of a far more complex malware that adopts techniques believed to have come from the US National Security Agency.
Specifically, StripedFly incorporated a version of EternalBlue, the notorious NSA-developed exploit that was later leaked and used in the WannaCry ransomware attack to infect hundreds of thousands of Windows machines back in 2017.
According to Kaspersky, StripedFly uses its own custom EternalBlue attack to infiltrate unpatched Windows systems and quietly spread across a victim’s network, including to Linux machines. The malware can then harvest sensitive data from infected computers, such as login credentials and personal data.
“Furthermore, the malware can capture screenshots on the victim's device without detection, gain significant control over the machine, and even record microphone input,” the company’s security researchers added.
To evade detection, the creators behind StripedFly settled on a novel method by adding a cryptocurrency mining module to preventRead more on pcmag.com