https://bit.ly/3SlAjfj - 🔍 StripedFly Infection: A shellcode was identified in the WININIT.EXE process, capable of downloading files from bitbucket[.]org and executing PowerShell scripts. The infection's origin was a SMBv1 exploit reminiscent of EternalBlue. After infecting, it propagated within networks using the exploit and SSH protocol, leveraging the keys found on the infected machine. #CyberSecurity #MalwareDetection 🔄 Persistence Methods: The malware adjusts its behavior based on the presence of PowerShell and access rights. If absent, a hidden file is generated in %APPDATA%. Otherwise, its actions vary, establishing persistence in Windows or Linux in multiple ways. #DigitalThreat #MalwarePersistence 📂 Bitbucket Repository: Stored on bitbucket[.]org, the repository was created in June 2018 by Julie Heilman. This repository contained various files, with system.img being a primary infection tool for Windows. As of September 2023, 60,000 initial infections were reported since April 2023. #CyberAttack #DigitalForensics 🔌 Modules: The malware uses a pluggable module system, a trait of APT malware. It possesses both service and functionality modules, each designed for specific tasks. These range from configuration storage and upgrades to command handling and credential harvesting. #APT #ModularMalware 💻 Functionality Modules: These modules perform a variety of tasks. They can interact with victim file systems, capture data, and even execute commands received from the C2 server. They're also capable of scanning and collecting sensitive information from active users. #DataBreach #CyberEspionage ⛏ Monero Mining: A disguised Monero mining module operates as a chrome.exe process. The process is closely monitored, and statistics are reported to the C2 server. Interestingly, the use of this mining module could be for disguise rather than maximum profit. #CryptoMining #CyberSec ⚡ ThunderCrypt Ransomware: During the analysis, a related ransomware called ThunderCrypt, linked to the same C2 server, was discovered. The ransomware had almost similar functionalities to StripedFly, but its most significant attention came from a failed attempt in Taiwan. #Ransomware #DigitalAttack 🔵 EternalBlue Connection: Parallels were drawn between the infamous EternalBlue exploit and StripedFly's creators. Based on PE timestamps, there's a likely connection between the two, although complete validation remains elusive.