The infamous botnet Stantinko has added the capability of crypto mining to utilize its victims’ computers to mine Monero and is using YouTube to evade detection.
Under circulation since 2012, Stantinko has reportedly infected over 500,000, which are concentrated in Russia, Ukraine, Belarus, and Kazakhstan and siphoned money from the victims using click fraud, ad injection, social network fraud, and password-stealing attacks.
Malware getting sophisticated
Revealed by ESET, a cybersecurity research firm, the botnet developers are distributing a new module for crypto mining, but the most notable feature is the tactics it is using to dodge detection. It is using xmr-stack open-source crypto miner to mine the digital currency.
“Due to the use of source level obfuscations with a grain of randomness and the fact that Stantinko’s operators compile this module for each new victim, each sample of the module is unique,” ESET researchers explained.
To dodge detection, the botnet does not communicate directly with Monero mining pools; instead, it uses proxies whose IP addresses are acquired from the description text of YouTube videos.
Pure Markets' CEO Talks Business Model, 2020 OutlookGo to article >>
“At the very core of the crypto mining function lies the process of hashing, and communication with the proxy […] CoinMiner.Stantinko sets the communication with the first mining proxy it finds alive,” the researchers noted.
The botnet dynamically changes the hashing code with each execution.
“This change makes it possible, for example, to adapt to adjustments of algorithms in existing currencies and to switch to mining other cryptocurrencies in order, perhaps, to mine the most profitable cryptocurrency at the moment of execution,” ESET stated.
The cybersecurity company already informed YouTube about the botnet, and the video streaming website took down the channels with the abusive videos.
Though researchers only found instances of Monero mining, for now, they are suspecting that it might be mining other digital currencies as well, as the hashing algorithm is CryptoNight R.