With some recent developments and known vulnerabilities, something has passed for 5 years undetected.
The Forum of Incident Response and Security Teams (FIRST) has officially introduced CVSS v4.0, a significant advancement in the Common Vulnerability Scoring System standard, after more than eight years since CVSS v3.0.
It introduced supplemental metrics such as Safety, Automatable, Recovery, and more to provide a more comprehensive evaluation of vulnerabilities.
It also included terminology to emphasize that CVSS is not solely about the Base score but should be considered in combination with environmental and threat metrics.
Flaws and Fixes
Researchers have also identified active exploitation of a critical security flaw in the Apache ActiveMQ open-source message broker service. The flaw, identified as CVE-2023-46604, possesses a maximum CVSS score of 10.0, indicating its severe nature.
Simultaneously, another critical vulnerability, CVE-2023-46747, affecting BIG-IP software, has been exploited by threat actors. This flaw allows unauthenticated attackers to execute arbitrary system commands, and the availability of a proof-of-concept exploit further escalates the threat.
In response to these active threats, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added these vulnerabilities to its Known Exploited Vulnerabilities catalog.
Kaspersky, the renowned cybersecurity authority, has aptly dubbed this stealthy adversary StripedFly, and its capabilities are nothing short of impressive.
The Modular Framework
StripedFly is no run-of-the-mill malware! It’s a meticulously crafted modular framework that seamlessly operates on both Linux and Windows systems.
Its origins date back to 2017, when Kaspersky first identified the samples. The malware is just a part of a larger entity, utilizing the EternalBlue SMBv1 exploit, previously attributed to the Equation Group, to infiltrate publicly accessible systems.
Shellcode and Stealthy Techniques
What sets StripedFly apart is its multiple techniques:
- It can download binary files from remote Bitbucket repositories,
- execute PowerShell scripts, and
- boasts plugin-like features to exploit sensitive data.
Will you believe it? It can even uninstall itself, leaving no trace behind. The malware deploys its shellcode within the legitimate wininit.exe process, an integral part of the Windows boot process.
The malware payload is structured as a monolithic binary executable designed for pluggable modules to extend or update its functionality.
Did You First Think of Tor as the Safest Browser?
To maintain stealth, StripedFly operates within the TOR network, communicating through a custom TOR client and sidestepping publicly documented methods. It’s a testament to the dedication behind this creation.
It’s a SPY!
StripedFly doesn’t stop at data harvesting; it’s equipped with spy modules that gather credentials, capture screenshots without detection, record microphone input, and initiate a reverse proxy for remote actions.
But How?
It establishes persistence through Windows Registry modifications or task scheduler entries, depending on the presence of the PowerShell interpreter and administrative access.
On Linux, it achieves persistence via systemd user services, autostarted .desktop files, or modifications to system files.
Cryptocurrency Mining as a Decoy
StripedFly downloads a Monero cryptocurrency miner that employs DNS over HTTPS (DoH) requests to resolve pool servers.
Looks like a smokescreen to divert security software’s attention away from its true capabilities.
To minimize its footprint, various components are hosted as encrypted binaries on code repository platforms like Bitbucket, GitHub, and GitLab.
Are We Under Silent Attack?
The true purpose behind StripedFly’s campaign remains an enigma. With this development, you can not know which malware or detection system monitors you. What could we do then?
Just be prudent! The first line of defense works in every scenario. Keep efficient passwords, install VPNs and anti-virus for your devices, and keep them updated. Also, learn about cyber intrusions.
Anas Hasan
November 6, 2023
2 years ago
