Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security

Powerful Malware Disguised as Crypto Miner Infects 1M+ Windows, Linux PCs (pcmag.com) 19

PC Magazine reports: A powerful piece of malware has been disguising itself as a trivial cryptocurrency miner to help it evade detection for more than five years, according to antivirus provider Kaspersky. This so-called "StripedFly" malware has infected over 1 million Windows and Linux computers around the globe since 2016, Kaspersky says in a report released Thursday...

StripedFly incorporated a version of EternalBlue, the notorious NSA-developed exploit that was later leaked and used in the WannaCry ransomware attack to infect hundreds of thousands of Windows machines back in 2017. According to Kaspersky, StripedFly uses its own custom EternalBlue attack to infiltrate unpatched Windows systems and quietly spread across a victim's network, including to Linux machines. The malware can then harvest sensitive data from infected computers, such as login credentials and personal data. "Furthermore, the malware can capture screenshots on the victim's device without detection, gain significant control over the machine, and even record microphone input," the company's security researchers added.

To evade detection, the creators behind StripedFly settled on a novel method by adding a cryptocurrency mining module to prevent antivirus systems from discovering the malware's full capabilities.

This discussion has been archived. No new comments can be posted.

Powerful Malware Disguised as Crypto Miner Infects 1M+ Windows, Linux PCs

Comments Filter:
  • Infection point? (Score:4, Insightful)

    by kbrannen ( 581293 ) on Saturday October 28, 2023 @03:48PM (#63962140)
    It would have been really nice for the summary to tell us how it infects computers, especially the Linux ones. Some research makes it look like it does it via an SMBv1 exploit.
    • by Anonymous Coward

      To evade detection, the creators behind StripedFly settled on a novel method by adding a cryptocurrency mining module to prevent antivirus systems from discovering the malware's full capabilities.

      If your antivirus program doesn't automatically flag cryptocurrency mining as malware, it is crap.

      • Re:Infection point? (Score:5, Interesting)

        by Tehrasha ( 624164 ) on Saturday October 28, 2023 @04:12PM (#63962186) Homepage
        Thats the 'novel method' anti-virus DOES trip on crypto-mining, but if you tell the user they can be a make-money-fast crypto-bro they will turn off the AV to run the miner.

        The wording in the article is VERY BAD.

        It should have read....

        "To evade detection, the creators behind StripedFly settled on a novel method, by playing on the user's greed and ignorance of cryptocurrency, they hid the malware's full capabilities inside a mining module, thus ensuring the user would whitelist the infected application on their antivirus systems."

        • I "antivirus" software had stuck to detecting malware that problem would not occur. But they had to nag about "potentionally unwanted" and what not else. OTOH, they've got to detect something to appear to be worth their money and finding actual ransomware or spyware is obviously not within their capabilities.
      • This. How the hell did adding cryptomining capability make a program look *less* suspicious?

        • by Teun ( 17872 )
          Because people install the miner and disable the AV in order to run the miner by themself.
    • by ls671 ( 1122017 )

      It would have been really nice for the summary to tell us how it infects computers, especially the Linux ones. Some research makes it look like it does it via an SMBv1 exploit.

      When I glanced over TFS, I took for granted people voluntarily install it to mine some coins and supposidly make money.

    • It would have been really nice for the summary to tell us how it infects computers, especially the Linux ones. Some research makes it look like it does it via an SMBv1 exploit.

      Uh, when TFS suggested it was "unpatched" computers, I didn't realize they were talking about ones they found in the Microsoft wing of the museum. SMBv1? Seriously?

  • by Mirnotoriety ( 10462951 ) on Saturday October 28, 2023 @03:52PM (#63962150)
    According to Kaspersky, StripedFly uses its own custom EternalBlue attack to infiltrate unpatched Windows systems and quietly spread across a victim's network, including to Linux machines.

    How does this “cryptocurrency miner” “infiltrate its victims’ systems”, without the user downloading and executing the said malware?
    • by StormReaver ( 59959 ) on Saturday October 28, 2023 @04:05PM (#63962178)

      From what I've gleaned from reading the article (shame on me, I know):

      The malware makes use of a Windows networking flaw on machines still using SMBv1 to get administrator access on Windows. From there Powershell is used to automate the rest.

      It can only get onto Linux machines via the compromised Windows host. The Windows host will ssh into Linux machines using whatever ssh credentials exist on the Windows host, and remotely do its stuff as whatever Linux user it found on the Windows host.

      • by gweihir ( 88907 )

        So not actually a security problem on Linux at all. Well, I know why I have put 2FA on all my SSH logins that I occasionally use from Windows. (Yes, I know, I am lazy. I am still at zero malware infections on Windows though, so I have no clue how much risk of that I have.)

    • The 'crypto currency" miner was included so that when the user's anti-malware software flags it, the user chooses "Allow" because they do not want their cryptocurrency miner blocked by their malware protection. If the user does not allow it, they walk away thinking that a crypto miner was blocked not realizing that they are not only infected with something much worse, but their entire network may be infected. The miner designation also keeps IT guys from paying more attention, they just think they have an
  • A Linux user that would install a "cryptocurrency miner" on their workstation. Not to mention an IT person that would say "Oh well"!
  • by JustAnotherOldGuy ( 4145623 ) on Saturday October 28, 2023 @05:37PM (#63962318) Journal

    "Powerful Malware Disguised as Crypto Miner Infects 1M+ Windows, Linux PCs"

    Errrr, isn't the crypto-mining shit itself usually the malware?

    Who would deliberately download crap this and- oh, wait, never mind.

  • I mean, anybody invested in crapcoins is already pretty stupid. But anybody thinking that at this time you can still meaningfully mine on a regular PC must be among the most stupid or naive fucks possible.

  • by WindBourne ( 631190 ) on Saturday October 28, 2023 @07:22PM (#63962486) Journal
    Seriously, greed makes it so easy to steal from others.
  • by Motleypuss ( 10291831 ) on Saturday October 28, 2023 @08:27PM (#63962556)
    Seems like it's a fault with the user. This thing can't get on systems unless bozos install it, surely. This is another case of scammers putting nefarious code in places where the gullible will download the code, isn't it? Situation normal, in other words.

Life is a whim of several billion cells to be you for a while.

Working...