Kaspersky reveals ‘elegant’ malware resembling NSA code | CyberScoop<\/title> <meta name=\"description\" content=\"The Russian cybersecurity firm discovered sophisticated malware that combined cryptocurrency mining and espionage capabilities.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/kaspersky-reveals-elegant-malware-resembling-nsa-code\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"Kaspersky reveals 'elegant' malware resembling NSA code\"> <meta property=\"og:description\" content=\"The Russian cybersecurity firm discovered sophisticated malware that combined cryptocurrency mining and espionage capabilities.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/kaspersky-reveals-elegant-malware-resembling-nsa-code\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:published_time\" content=\"2023-10-26T18:49:28+00:00\"> <meta property=\"article:modified_time\" content=\"2023-10-26T20:06:29+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/10\/kaspersky-reveals-elegant-malware-resembling-nsa-code-2.jpg\"> <meta property=\"og:image:width\" content=\"1920\"> <meta property=\"og:image:height\" content=\"1280\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"AJ Vicens\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:creator\" content=\"@AJVicens\">  <link rel=\"dns-prefetch\" href=\"\/\/cdn.parsely.com\">\n<link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-0\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1697500969g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-4\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress-next\/dist\/css\/related-posts-block-styles.min.css?m=1697708085g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1698166067g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=7dab012cdc88b5676610\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/77804\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.3.2\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=77804\">\n<link rel=\"alternate\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fkaspersky-reveals-elegant-malware-resembling-nsa-code%2F\">\n<link rel=\"alternate\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fkaspersky-reveals-elegant-malware-resembling-nsa-code%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"post-template-default single single-post postid-77804 single-format-standard\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/kaspersky-reveals-elegant-malware-resembling-nsa-code\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"24.548449612403\">\n<div class=\"single-article__header-content\" readability=\"30.25\">\n<ul class=\"single-article__eyebrow\">\n<li class=\"single-article__category\"> <a class=\"single-article__category-link\" href=\"https:\/\/cyberscoop.com\/news\/threats\/cybercrime\/\"> <span>Cybercrime<\/span> <\/a> <\/li>\n<\/ul>\n<p> The Russian cybersecurity firm discovered sophisticated malware that combined cryptocurrency mining and espionage capabilities. <\/p>\n<\/p><\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"426\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2023\/10\/kaspersky-reveals-elegant-malware-resembling-nsa-code.jpg?resize=640%2C426&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/10\/kaspersky-reveals-elegant-malware-resembling-nsa-code-2.jpg 1920w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/10\/kaspersky-reveals-elegant-malware-resembling-nsa-code-2.jpg?resize=300,200 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/10\/kaspersky-reveals-elegant-malware-resembling-nsa-code-2.jpg?resize=768,512 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/10\/kaspersky-reveals-elegant-malware-resembling-nsa-code-2.jpg?resize=1024,683 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/10\/kaspersky-reveals-elegant-malware-resembling-nsa-code-2.jpg?resize=1536,1024 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/10\/kaspersky-reveals-elegant-malware-resembling-nsa-code-2.jpg?resize=600,400 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/10\/kaspersky-reveals-elegant-malware-resembling-nsa-code-2.jpg?resize=252,168 252w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/10\/kaspersky-reveals-elegant-malware-resembling-nsa-code-2.jpg?resize=506,337 506w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/10\/kaspersky-reveals-elegant-malware-resembling-nsa-code-2.jpg?resize=1013,675 1013w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/10\/kaspersky-reveals-elegant-malware-resembling-nsa-code-2.jpg?resize=1265,843 1265w\" sizes=\"(max-width: 1013px) 100vw, 1013px\"><figcaption> (Yuichiro Chino\/Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"47.248280175109\"><body readability=\"95.437595964027\"><\/p>\n<p>An investigation into an apparent cryptocurrency miner revealed a highly sophisticated, yearslong spying framework with similarities to malware associated with the National Security Agency, researchers with <a href=\"https:\/\/securelist.com\/stripedfly-perennially-flying-under-the-radar\/110903\/\">Kaspersky said Thursday<\/a>. <\/p>\n<p>The report from Russia\u2019s leading cybersecurity firm provides rare technical details about a hacking operation that builds on code historically associated with U.S. operations. While Western cybersecurity firms regularly publish reports on hacking operations backed by states such as Russia, Iran and China, detailed technical examinations of Western cyber operations are far more difficult to come by.<\/p>\n<p>Thursday\u2019s report describes a framework dubbed StripedFly, which is capable of taking screenshots, retrieving system version information, stealing website login usernames, passwords and other autofill data, accessing Wi-Fi network information (including passwords), recording microphone audio and identifying and exfiltrating sensitive files. StripedFly relies on a custom <a href=\"https:\/\/cyberscoop.com\/tag\/eternalblue\/\">EternalBlue<\/a> exploit \u2014 a piece of NSA malware that leaked online in 2016 \u2014 to infect victims. <\/p>\n<p>The use of EternalBlue \u2014 which has been abused by other, non-American hacking groups in the past \u2014 raises questions about whether the malware in fact stems from a U.S. hacking operation. But the sophisticated nature of other components of the malware discovered by Kaspersky points toward a sophisticated actor. <\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>The framework also included a functional Monero cryptocurrency mining module, a custom ransomware variant called ThunderCrypt and a custom Tor client, which the framework used to securely communicate with a hidden command and control server. Data associated with the framework\u2019s update mechanism suggest that the framework has infected more than 1 million targets, according to the research.<\/p>\n<p>On its face, the malware might be dismissed as a run-of-the-mill cryptocurrency miner. But the addition of espionage and secure communications capabilities \u201cseems to defy the norm,\u201d Kaspersky\u2019s researchers note. Though it\u2019s an open question who is behind the operation, it\u2019s \u201cdifficult to accept the notion that such sophisticated and professionally designed malware would serve such a trivial purpose, given all the evidence to the contrary.\u201d<\/p>\n<p>Tor, or \u201cThe Onion Router,\u201d obfuscates web traffic and provides users a measure of anonymity. It\u2019s widely used for legitimate privacy preserving reasons, as well as illicit criminal purposes. The fact that the framework developers created a custom Tor client \u2014 \u201ca unique and time-consuming project\u201d that \u201cunderscores the sophistication of this malware\u201d \u2014 is remarkable, the researchers said.<\/p>\n<p>The researchers write that the framework\u2019s \u201cfunctional complexity and elegance remind us of the elegant code\u201d implemented by the hacking crew known as Equation Group, an operation <a href=\"https:\/\/www.kaspersky.com\/about\/press-releases\/2015_equation-group-the-crown-creator-of-cyber-espionage\">Kaspersky revealed in 2015<\/a> that\u2019s been <a href=\"https:\/\/www.wired.co.uk\/article\/nsa-hacking-tools-stolen-hackers\">linked to the NSA<\/a>.<\/p>\n<p>Nonetheless, a Kaspersky spokesperson told CyberScoop that \u201cit is not possible to make an attribution to the Equation group based on acquired technical findings\u201d and that the developers of malware sometimes include \u201cfalse flags in order to point investigators in the wrong direction.\u201d<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>In August 2016, a group calling itself the \u201c<a href=\"https:\/\/cyberscoop.com\/tag\/shadow-brokers\/\">Shadow Brokers<\/a>\u201d began posting what it said was stolen NSA malware, including the EternalBlue exploit used in customized form in StripedFly. Since being leaked, EternalBlue has been abused as part of <a href=\"https:\/\/cyberscoop.com\/tag\/eternalblue\/\">a variety of consequential criminal and state-aligned<\/a> hacking operations.<\/p>\n<p>The research released Thursday revealed that the earliest version of StripedFly was created prior to April 2016, at least four months before the Shadow Brokers leaks began, and a full year before the Shadow Brokers posted the leak containing the EternalBlue exploit. But Chinese hackers had also been using the EternalBlue exploit prior to the Shadow Brokers leak, <a href=\"https:\/\/www.zetter-zeroday.com\/p\/sophisticated-stripedfly-spy-platform\">cybersecurity journalist Kim Zetter reported Thursday<\/a>, along with at least one other NSA tool called DoublePulsar.<\/p>\n<p>The coding style and practices also resemble those seen in <a href=\"https:\/\/apt.securelist.com\/apt\/sbz\">SBZ malware<\/a>, the researchers said, referring to another piece of cyberespionage malware that has been linked to the Equation Group.<\/p>\n<p>\u201cTaken together, these various data points suggest the similarities to Equation malware, although there is no direct evidence that they are related,\u201d the researchers wrote.<\/p>\n<p>The NSA declined to comment.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p><strong>Updated, Oct. 26, 2023: <\/strong><em>This story has been updated to note that the NSA declined to comment.<\/em> <\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"1.1455696202532\">\n<div class=\"author-card\" readability=\"8\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2023\/10\/kaspersky-reveals-elegant-malware-resembling-nsa-code-1.jpg?w=640&ssl=1\" alt=\"AJ Vicens\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by AJ Vicens<\/h4>\n<p> AJ covers nation-state threats and cybercrime. He was previously a reporter at Mother Jones. Get in touch via Signal\/WhatsApp: (810-206-9411). <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/kaspersky-reveals-elegant-malware-resembling-nsa-code\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Kaspersky reveals ‘elegant’ malware resembling NSA code | CyberScoop Skip<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[282,1110,483,304,270,288],"tags":[286,1111,485,308,276,294],"class_list":["post-1934","post","type-post","status-publish","format-standard","hentry","category-cybercrime","category-eternalblue","category-kaspersky","category-national-security-agency-nsa","category-russia","category-threats","tag-cybercrime","tag-eternalblue","tag-kaspersky","tag-national-security-agency-nsa","tag-russia","tag-threats"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybercrime\/\" rel=\"category tag\">cybercrime<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/eternalblue\/\" rel=\"category tag\">EternalBlue<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/kaspersky\/\" rel=\"category tag\">Kaspersky<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/national-security-agency-nsa\/\" rel=\"category tag\">National Security Agency (NSA)<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/russia\/\" rel=\"category tag\">Russia<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/threats\/\" rel=\"category tag\">Threats<\/a>","tag_info":"Threats","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/1934","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=1934"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/1934\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=1934"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=1934"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=1934"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":1934,"date":"2023-10-26T18:49:28","date_gmt":"2023-10-26T18:49:28","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=77804"},"modified":"2023-10-26T18:49:28","modified_gmt":"2023-10-26T18:49:28","slug":"kaspersky-reveals-elegant-malware-resembling-nsa-code","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2023\/10\/26\/kaspersky-reveals-elegant-malware-resembling-nsa-code\/","title":{"rendered":"Kaspersky reveals \u2018elegant\u2019 malware resembling NSA code"},"content":{"rendered":"