The versatile Stantinko botnet that's been targeting former Soviet nations since at least 2012 has added a Monero cryptomining module to its arsenal.
Stantinko historically has perpetrated click fraud, ad injections, social network fraud and brute-force password stealing attacks, primarily targeting Russia, Ukraine, Belarus and Kazakhstan. But this latest module, discovered by researchers at ESET, has been a major source of Stantinko's monetization since at least August 2018, ESET malware analyst Vladislav Hrcka notes in a Nov. 26 company blog post.
Described by ESET as a "highly modified version of the xmr-stark open source cryptominer," Stantinko's mining module, dubbed CoinMiner.Stantinko, is so powerful that it can "exhaust most of the resources of the compromised machine."
CoinMiner.Stantinko is divided into four parts. The main component performs he actual mining, while the remaining parts are designed to, respectively, kill the functionalities of previously installed miners, detect security software and suspend mining activity if battery is low or the task manager utility is detected.
Instead of directly communicating with its mining pool, CoinMiner.Stantinko uses proxies with IP addresses that are derived from the description texts, of YouTube videos, ESET reports. The module finds these videos after receiving a video identifier in the form of a command-line parameter. (In earlier versions the video URL was hard-coded into the module.)
Communication with the proxies is encrypted by RC4 and takes places over TCP, the blog post continues. At the start of this communication, the code of the CryptoNight R. hashing algorithm is downloaded from the proxy and loaded into memory.
"Downloading the hashing code with each execution enables the Stantinko group to change this code on the fly. This change makes it possible, for example, to adapt to adjustments of algorithms in existing currencies and to switch to mining other cryptocurrencies in order, perhaps, to mine the most profitable cryptocurrency at the moment of execution," Hrcka explains. "The main benefit of downloading the core part of the module from a remote server and loading it directly into memory is that this part of the code is never stored on disk."
According to ESET, YouTube removed the offending channels after it was alerted to the scam.
To remain stealthy and avoid detection, the actors behind CoinMiner.Stantinko removed certain strings and functions and heavily obfuscated the remainder. ESET notes that the module's use of advanced obfuscation techniques is its most prominent feature.
"Our discovery shows that the criminals behind Stantinko continue to expand the ways they leverage the botnet they control," Hrcka concludes. "This remotely configured cryptomining module, distributed since at least August of 2018 and still active at the time of writing, shows this group continues to innovate and extend its money-making capabilities."