Security researchers recently discovered malware that's been infecting Windows and Linux hosts over the last five years, although it's believed to be at least 7 years old.
StripedFly is an APT (advanced persistent threat) malware framework containing several modules including a crypto-miner, an SSH client to control other systems, a credential harvester, screenshot capture and a ransomware spreader. Like much malware, it uses techniques to hide its presence and operation including encrypting itself and using TOR to hide its communications. On Windows, it uses Powershell to run its tasks and tailors its operations by the privileges it has. While the principal motivation is unidentified, Kaspersky states:
QuoteThe presence of the Monero crypto miner is considered a diversion attempt, with the primary objectives of the threat actors being data theft and system exploitation facilitated by the other modules.
"The malware payload encompasses multiple modules, enabling the actor to perform as an APT, as a crypto miner, and even as a ransomware group," reads Kaspersky's report.
Securelist has a more detailed write-up and mentions that,
QuoteMany high-profile and sophisticated malicious software have been investigated, but this one stands out and it truly deserves attention and recognition.
Scary stuff. What I find really disconcerting is where Securelist notes,
QuoteWhat was the real purpose? That remains a mystery. While ThunderCrypt ransomware suggests a commercial motive for its authors, it raises the question of why they didn't opt for the potentially more lucrative path instead. The prevailing narrative often centers around ransomware actors collecting anonymous ransoms, but this case seems to defy the norm.
Antimalware software on Windows will detect this virus and remove it. I'm still trying to figure out how you can detect its presence in Linux. If I find out, I'll add it to this thread. MG has details on how to do it manually (see the sources). MG also lists tips on how to avoid getting infected by malware which are probably familiar to most of us here but a reminder can't hurt.
Sources:
Bleeping Computer
(https://www.bleepingcomputer.com/news/security/stripedfly-malware-framework-infects-1-million-windows-linux-hosts)Securelist (https://securelist.com/stripedfly-perennially-flying-under-the-radar/110903/)
MG (https://malware-guide.com/blog/remove-stripedfly-malware)