skip to Main Content

Cybercrime, Stantinko botnet adds a cryptomining module

ESET, Stantinko botnet have expanded its toolset with a new means of profiting from the computers under control: a Monero cryptomining module

Stantinko botnet have expanded its toolset with a new means of profiting from the computers under control. It has been discovered by ESET cyber security experts. The roughly half-million-strong botnet – known to have been active since at least 2012 and mainly targeting users in Russia, Ukraine, Belarus and Kazakhstan – now distributes a cryptomining module. Mining Monero, a cryptocurrency whose exchange rate has oscillated in 2019 between US$50 and US$110, has been the botnet’s monetizing functionality since at least August 2018. Before that, the botnet performed click fraud, ad injection, social network fraud and password stealing attacks. This module’s most notable feature is the way it is obfuscated to thwart analysis and avoid detection. Due to the use of source level obfuscations with a grain of randomness and the fact that Stantinko’s operators compile this module for each new victim, each sample of the module is unique.

According to the cyber security experts, the new feature is a highly modified version of the xmr-stak open-source cryptominer

According to the cyber security experts, Stantinko’s cryptomining module, which exhausts most of the resources of the compromised machine by mining a cryptocurrency, is a highly modified version of the xmr-stak open-source cryptominer. All unnecessary strings and even whole functionalities were removed in attempts to evade detection. The remaining strings and functions are heavily obfuscated. ESET security products detect this malware as Win{32,64}/CoinMiner.Stantinko. It doesn’t communicate with its mining pool directly, but via proxies whose IP addresses are acquired from the description text of YouTube videos. A similar technique to hide data in descriptions of YouTube videos is used by the banking malware Casbaneiro. It uses much more legitimate-looking channels and descriptions, but for much the same purpose: storing encrypted C&Cs.

How the cybercrime module is built

ESET divided the Stantinko cryptomining module into four logical parts, which represent distinct sets of capabilities. The main part performs the actual cryptomining; the other parts of the module are responsible for additional functions:

  1. suspending other (i.e. competing) cryptomining applications;
  2. detecting security software;
  3. suspending the cryptomining function if the PC is on battery power or when a task manager is detected, to prevent being revealed by the user.

The botnet operators will expand it further to extend its money-making capabilities

The cyber security experts concluded that cybercrime actors behind Stantinko continue to expand the ways they leverage the botnet they control. Their previous innovations were distributed dictionary-based attacks on Joomla and WordPress web sites aimed at harvesting server credentials, probably with the goal of selling them to other criminals. This remotely configured cryptomining module, distributed since at least August of 2018 and still active at the time of writing, shows this group continues to innovate and extend its money-making capabilities.

Back To Top