ESET uncovers Stantinko botnet distributing a cryptomining module

ESET researchers have discovered that the criminals behind the half-million-strong Stantinko botnet are distributing a Monero-mining module to the computers they control.

The operators of the Stantinko botnet – who control roughly a half-million computers, and who have been active since at least 2012 – mainly target users in Russia, Ukraine, Belarus and Kazakhstan; but now they have expanded into a new business model.

“After years of relying on click fraud, ad injection, social network fraud and credential stealing, Stantinko has started to mine Monero. Since at least August 2018, its operators have been distributing a cryptomining module to the computers they control,” says Vladislav Hrčka, ESET malware analyst who conducted the research.

Stantinko’s cryptomining module, which ESET security products detect as Win{32,64}/CoinMiner.Stantinko, is a highly modified version of the xmr-stak open-source cryptominer. This module’s most notable feature is the way it is obfuscated to thwart analysis and avoid detection. “Due to the use of source level obfuscations with a grain of randomness, and the fact that Stantinko’s operators compile this module for each new victim, each sample of the module is unique,” explains Hrčka.

Besides obfuscation, CoinMiner.Stantinko employs some interesting tricks.

To hide its communication, the module doesn’t communicate with its mining pool directly, but via proxies whose IP addresses are acquired from the description text of YouTube videos. (A similar technique for hiding data in descriptions of YouTube videos is used by the banking malware Casbaneiro, which was recently analyzed by ESET researchers.)

“We informed YouTube of this abuse and all the channels with these videos were taken down,” comments Hrčka.

To prevent raising the suspicion of the victims, CoinMiner.Stantinko suspends the cryptomining function if the PC is on battery power or when a task manager is detected. It also checks to see if other cryptomining applications are running on the computer and eventually suspends them. CoinMiner.Stantinko also scans running processes to find security software.

“While CoinMiner.Stantinko is far from being the most dangerous malware out there, it’s annoying, to say the least, to have the computer busy making money for criminals. More alarming should be the fact that at any point of time, Stantinko could serve the victims’ computers with any other – possibly damaging – malware,” warns ESET’s Vladislav Hrčka.

For users to stay safe from such threats, ESET researchers recommend sticking with basic security practices and using a reputable security solution.

For more details, read the blog post, Stantinko botnet adds cryptomining to its pool of criminal activities, on WeLiveSecurity.

 

About Version 2 Limited
 

Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

 

About ESET

For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint and mobile security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give consumers and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defences in realtime to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D centres worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003. For more information, visit https://www.eset.hk/ or follow us on Facebook.