The oldest botnet, Stantinko, which is predicted to infect around 500,000 devices across the world, is making advances in cryptocurrency mining. The new report suggests that the botnet has added cryptocurrency mining to the toolset. Moreover, the botnet is utilizing Google’s video streaming platform YouTube for evading detection. By the looks of it, the notorious botnet has distributed the Monero cryptocurrency XMR mining module through YouTube.
On the 26th of November 2019, the popular significant antivirus ESET has reported that operators of Stantinko are expanding their criminal activity from an injection click fraud, social network fraudulation, as well as password stealing. The operators are installing cryptocurrency malware on the devices of the victims using YouTube.
Stantinko botnet has been active since 2012, and it also targets users in Ukraine, Russia, Kazakhstan, and Belarus. The cybersecurity researchers of ESET said that the most remarkable feature of the module is that it obscures its algorithm for thwarting the analysis and also avoid detection as the botnet operators use an obscure source code alongside a miniature level of randomness. By the looks of it, the operator of Stantiko compiles the module for every single new victim. So far, this makes each sampling module extremely unique.
How does the Botnet mine Cryptocurrency?
The crypto mining module of the botnet is extremely a modified version of xmr-stak, which is an open-source crypto miner, according to the researchers. Moreover, researchers also pointed out that the creators have also detached the functionality from malware to evade detection. Nevertheless, the rest of the functionalities and strings have become completely obfuscated. The ESET security products have detected the malware as Win{32,64}/CoinMiner.Stantinko.
The most exciting part of the botnet is CoinMiner.Stantinko doesn’t entirely communicate efficiently with the mining pool. On the other hand, the botnet uses different proxies and later acquires the IP addresses from YouTube videos’ description text. Even before the report became mainstream, ESET had already provided YouTube of the unprecedented abuse. The channels which contain the infected videos have been taken down by the people on YouTube.
Also Read: The Creator of BitTorrent Calls Vitalik Living a Bad Idea
The researchers have pointed out that the core of the crypto mining functionality comprises hashing alongside communication made with proxy. CoinMiner.Stantinko has also set the connection with the first-ever mining proxy, which comes to life.
Later, the code, which includes a hashing algorithm, which gets downloaded directly from mining proxy when the communication first begins. Then, it is loaded directly into memory. Once they have downloaded the conventional hashing code with every execution, the operators of Stantinko immediately change the system without a hassle. With the help of this change, it becomes possible for the botnet to adapt to the algorithm’s adjustment in currencies. Later the botnet switches to mine other cryptocurrencies. In the end, it mines the most profitable cryptocurrency during the execution time.
As the module’s core part is downloaded from a remote server, it is loaded in the memory; in turn, the code doesn’t get stored on a physical disk. Given that the adjustment is complicated, the detection of the botnet is almost impossible.
