StripedFly: Perennially flying under the radar

StripedFly is a long-running, modular backdoor that uses a custom EternalBlue-like SMBv1 exploit and SSH-based propagation to deploy a plugin-capable payload on Windows and Linux hosts, hiding C2 communications via a bespoke TOR client and delivering updates from public code-hosting services. Its components include credential harvesting, reverse-proxy, reconnaissance, repeatable tasks, and a Monero miner disguised as chrome.exe. #StripedFly #EternalBlue

Keypoints

StripedFly is a modular cross-platform framework with a lightweight custom TOR client for C2 and uses encrypted payload archives hosted on Bitbucket/GitLab/GitHub (e.g., system.img, ota.img, delta.img).
Initial compromise leveraged a custom SMBv1 EternalBlue-like exploit (dating prior to April 2017) that runs kernel shellcode which injects user-space shellcode to deploy the payload.
Propagation combines an SMBv1 worming module for Windows and an SSH infector for Linux, using harvested SSH keys and credentials to spread and upload platform-appropriate binaries.
Persistence varies by platform and environment: Windows techniques include hidden MZ-PE loaders in %APPDATA%, registry Run keys, and scheduled tasks via PowerShell; Linux uses disguised (sd-pam) binaries, systemd services, autostart .desktop files, rc/profile modifications, and /tmp-installed executables.
The framework supports pluggable service and functionality modules: credential harvesting (browser and client credentials), recon (extensive system and network enumeration), reverse proxy, repeatable tasks (screenshots, microphone, file collection), process injection/shellcode execution, and a Monero mining process masked as chrome.exe.
Updates and fallback delivery use public repositories (Bitbucket/GitLab/GitHub); the malware downloads ota.dat/delta.dat to trigger ota.img/delta.img upgrades when C2 is unresponsive.

MITRE Techniques

[T1210] Exploitation of Remote Services – Used a custom EternalBlue SMBv1 exploit to infiltrate victims: ‘this malware employed a custom EternalBlue SMBv1 exploit to infiltrate its victims’ systems.’
[T1021.002] Remote Services: SSH – Propagation and remote installation via SSH using keys found on compromised hosts: ‘…relying not only on the exploit but also on the SSH protocol, using keys found on the victim’s machine.’
[T1059.001] Command and Scripting Interpreter: PowerShell – Downloads and executes PowerShell scripts and uses PowerShell loaders for persistence: ‘…has the ability to download binary files from bitbucket[.]org and execute PowerShell scripts.’
[T1547.001] Boot or Logon Autostart Execution: Registry Run Keys/Startup Folder – Stores loader and encoded archive in registry Run keys to persist: ‘…registered with a GUID-like name within the Windows registry key SoftwareMicrosoftWindowsCurrentVersionRun.’
[T1053.005] Scheduled Task/Job – Creates scheduled tasks with GUID-like names to execute PowerShell loader when administrative rights are available: ‘…creates two task scheduler entries with GUID-like names.’
[T1105] Ingress Tool Transfer – Retrieves encrypted/compressed payload archives (system.img, ota.img, delta.img) from public repositories for initial infection and updates: ‘…system.img file serves as the authentic payload archive used for initial Windows system infections.’
[T1090] Proxy – Implements a custom, lightweight TOR client to hide and tunnel C2 communications over the TOR network: ‘…built-in TOR network tunnel for communication with command servers…’
[T1055] Process Injection – Kernel shellcode injects additional shellcode into user space to deploy payloads: ‘The kernel shellcode, delivered via an exploit, injects an additional shellcode into the user space.’
[T1082] System Information Discovery – Recon module gathers detailed host and network information for reporting to C2: ‘…compiles extensive system information and transmits it to the C2 server… operating system version, computer name, list of hardware MAC addresses…’
[T1113] Screen Capture – Module can capture screenshots as part of repeatable tasks: ‘…capture screenshots…’
[T1555.003] Credentials from Web Browsers – Credential harvester extracts saved website login usernames/passwords and autofill data from multiple browsers: ‘…collects a range of sensitive information… website login usernames and passwords…’

Indicators of Compromise

[C2 Servers] TOR C2 addresses – gpiekd65jgshwp2p53igifv43aug2adacdebmuuri34hduvijr5pfjad[.]onion:1111, ghtyqipha6mcwxiz[.]onion:1111, and 1 more onion address
[Repository URLs] Payload/update hosting – bitbucket[.]org/JulieHeilman/m100-firmware-mirror/downloads/, gitlab[.]com/JulieHeilman/m100-firmware-mirror/raw/master/, and other related repo URLs
[Mining Pool Endpoints] Monero pool endpoints – tcp://pool.minexmr[.]com:4444, tcp://mine.aeon-pool[.]com:5555
[Payload file names] Archive and update files – system.img (Windows payload), ota.img (Windows update), delta.img (Linux payload)
[system.img hashes] Example payload hashes – b28c6d00855be3b60e220c32bfad2535, 18f5ccdd9efb9c41aa63efbe0c65d3db, and 8 more hashes
[delta.dat hashes] Linux update check files – 00c9fd9371791e9160a3adaade0b4aa2, 41b326df0d21d0a8fad6ed01fec1389f
[ota.dat hashes] Windows update check files – 2e2ef6e074bd683b477a2a2e581386f0, 04df1280798594965d6fdfeb4c257f6c
[ThunderCrypt hashes] Related ransomware samples – 120f62e78b97cd748170b2779d8c0c67, d64361802515cf32bd34f98312dfd40d

StripedFly’s technical infection chain begins with a custom SMBv1 exploit (EternalBlue-like) that delivers kernel-mode shellcode; that kernel shellcode injects user-space payloads which pull an encrypted, compressed archive (system.img/ota.img/delta.img) from public repositories (Bitbucket/GitLab/GitHub) or from C2 fallback. The deployed monolithic executable loads pluggable modules, executes a lightweight custom TOR client to establish C2 over .onion addresses, and reports a generated 8-byte victim ID plus recon data to the server.

For persistence and execution the malware adapts to the host: on Windows it installs a hidden MZ-PE loader in %APPDATA%, stores Base64-encoded archives and scripts in registry keys (including HKCU/HKLM Run entries and Shell keys), and uses PowerShell-based loaders and scheduled tasks (GUID-like names) when available; on Linux it drops a randomly named binary in /tmp, hides as “(sd-pam)”, and registers via systemd services, autostart .desktop, or rc/profile modifications. The framework also implements worming via two infection vectors: an SMBv1 thread scanning LAN and random Internet IPs (with exclusions) and an SSH infector that uses harvested SSH keys/credentials to upload and execute platform-specific binaries.

Functionally, modules provide credential harvesting (browser and client credentials, SSH keys, Wi‑Fi and autofill data), reverse-proxy/access to the victim network, recon (detailed system/network enumeration), repeatable tasks (screenshots, microphone recording, file collection), and process/shellcode execution; a separate Monero miner process masquerades as chrome.exe and reports hashing data via DoH DNS resolution for pool servers. The update/uninstall mechanism checks ota.dat/delta.dat and fetches ota.img/delta.img to perform upgrades when C2 is unavailable.

SHARE THIS STORY

WhatsApp X (Twitter)Telegram Bluesky Facebook LinkedIn Threads Email Print