Application security, Application security, Threat Management, Threat Management, Malware

Stantinko botnet’s monetization strategy shifts to cryptomining


The versatile Stantinko botnet that's been targeting former Soviet nations since at least 2012 has added a Monero cryptomining module to its arsenal.

Stantinko historically has perpetrated click fraud, ad injections, social network fraud and brute-force password stealing attacks, primarily targeting Russia, Ukraine, Belarus and Kazakhstan. But this latest module, discovered by researchers at ESET, has been a major source of Stantinko's monetization since at least August 2018, ESET malware analyst Vladislav Hrcka notes in a Nov. 26 company blog post.

Described by ESET as a "highly modified version of the xmr-stark open source cryptominer," Stantinko's mining module, dubbed CoinMiner.Stantinko, is so powerful that it can "exhaust most of the resources of the compromised machine."

CoinMiner.Stantinko is divided into four parts. The main component performs he actual mining, while the remaining parts are designed to, respectively, kill the functionalities of previously installed miners, detect security software and suspend mining activity if battery is low or the task manager utility is detected.

Instead of directly communicating with its mining pool, CoinMiner.Stantinko uses proxies with IP addresses that are derived from the description texts, of YouTube videos, ESET reports. The module finds these videos after receiving a video identifier in the form of a command-line parameter. (In earlier versions the video URL was hard-coded into the module.)

Communication with the proxies is encrypted by RC4 and takes places over TCP, the blog post continues. At the start of this communication, the code of the CryptoNight R. hashing algorithm is downloaded from the proxy and loaded into memory.

"Downloading the hashing code with each execution enables the Stantinko group to change this code on the fly. This change makes it possible, for example, to adapt to adjustments of algorithms in existing currencies and to switch to mining other cryptocurrencies in order, perhaps, to mine the most profitable cryptocurrency at the moment of execution," Hrcka explains. "The main benefit of downloading the core part of the module from a remote server and loading it directly into memory is that this part of the code is never stored on disk."

According to ESET, YouTube removed the offending channels after it was alerted to the scam.

To remain stealthy and avoid detection, the actors behind CoinMiner.Stantinko removed certain strings and functions and heavily obfuscated the remainder. ESET notes that the module's use of advanced obfuscation techniques is its most prominent feature.

"Our discovery shows that the criminals behind Stantinko continue to expand the ways they leverage the botnet they control," Hrcka concludes. "This remotely configured cryptomining module, distributed since at least August of 2018 and still active at the time of writing, shows this group continues to innovate and extend its money-making capabilities."

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.