Stantinko Botnet Starts Cryptojacking, Uses YouTube to Evade Detection

Friday, 29/11/2019 | 08:29 GMT by Arnab Shome
  • The botnet infected more than half-a-million devices since 2012.
Stantinko Botnet Starts Cryptojacking, Uses YouTube to Evade Detection
Pixabay

The infamous botnet Stantinko has added the capability of crypto mining to utilize its victims' computers to mine Monero and is using YouTube to evade detection.

Under circulation since 2012, Stantinko has reportedly infected over 500,000, which are concentrated in Russia, Ukraine, Belarus, and Kazakhstan and siphoned money from the victims using click fraud, ad injection, social network fraud, and password-stealing attacks.

Malware getting sophisticated

Revealed by ESET, a cybersecurity research firm, the botnet developers are distributing a new module for crypto mining, but the most notable feature is the tactics it is using to dodge detection. It is using xmr-stack open-source crypto miner to mine the digital currency.

“Due to the use of source level obfuscations with a grain of randomness and the fact that Stantinko’s operators compile this module for each new victim, each sample of the module is unique,” ESET researchers explained.

To dodge detection, the botnet does not communicate directly with Monero mining pools; instead, it uses proxies whose IP addresses are acquired from the description text of YouTube videos.

“At the very core of the crypto mining function lies the process of hashing, and communication with the proxy […] CoinMiner.Stantinko sets the communication with the first mining proxy it finds alive,” the researchers noted.

The botnet dynamically changes the hashing code with each Execution .

“This change makes it possible, for example, to adapt to adjustments of algorithms in existing currencies and to switch to mining other Cryptocurrencies in order, perhaps, to mine the most profitable cryptocurrency at the moment of execution,” ESET stated.

The cybersecurity company already informed YouTube about the botnet, and the video streaming website took down the channels with the abusive videos.

Though researchers only found instances of Monero mining, for now, they are suspecting that it might be mining other digital currencies as well, as the hashing algorithm is CryptoNight R.

The infamous botnet Stantinko has added the capability of crypto mining to utilize its victims' computers to mine Monero and is using YouTube to evade detection.

Under circulation since 2012, Stantinko has reportedly infected over 500,000, which are concentrated in Russia, Ukraine, Belarus, and Kazakhstan and siphoned money from the victims using click fraud, ad injection, social network fraud, and password-stealing attacks.

Malware getting sophisticated

Revealed by ESET, a cybersecurity research firm, the botnet developers are distributing a new module for crypto mining, but the most notable feature is the tactics it is using to dodge detection. It is using xmr-stack open-source crypto miner to mine the digital currency.

“Due to the use of source level obfuscations with a grain of randomness and the fact that Stantinko’s operators compile this module for each new victim, each sample of the module is unique,” ESET researchers explained.

To dodge detection, the botnet does not communicate directly with Monero mining pools; instead, it uses proxies whose IP addresses are acquired from the description text of YouTube videos.

“At the very core of the crypto mining function lies the process of hashing, and communication with the proxy […] CoinMiner.Stantinko sets the communication with the first mining proxy it finds alive,” the researchers noted.

The botnet dynamically changes the hashing code with each Execution .

“This change makes it possible, for example, to adapt to adjustments of algorithms in existing currencies and to switch to mining other Cryptocurrencies in order, perhaps, to mine the most profitable cryptocurrency at the moment of execution,” ESET stated.

The cybersecurity company already informed YouTube about the botnet, and the video streaming website took down the channels with the abusive videos.

Though researchers only found instances of Monero mining, for now, they are suspecting that it might be mining other digital currencies as well, as the hashing algorithm is CryptoNight R.

About the Author: Arnab Shome
Arnab Shome
  • 6654 Articles
  • 102 Followers
Arnab is an electronics engineer-turned-financial editor. He entered the industry covering the cryptocurrency market for Finance Magnates and later expanded his reach to forex as well. He is passionate about the changing regulatory landscape on financial markets and keenly follows the disruptions in the industry with new-age technologies.

More from the Author

CryptoCurrency