Stantinko botnet operators have enhanced their toolkit by adding a new means of making profit from computers under their control. Namely, the Stantinko Trojan acquired a module for mining Monero.In 2017, ESET experts reported the discovery of the Stantinko botnet, which then specialized in advertising fraud. At that time, about 500,000 computers have been infected with this malware.
Researchers immediately described Stantinko as a complex threat, active at least since 2012. Malware is a modular trojan with backdoor functionality, and code encryption and self-defense mechanisms have allowed Stantinko operators to be unnoticed for many years.
Now ESET experts report that the still active Stantinko has acquired the Monero cryptocurrency mining module, and CoinMiner.Stantinko has become another way of earning money for botnet operators.
“This module’s most notable feature is the way it is obfuscated to thwart analysis and avoid detection. Due to the use of source level obfuscations with a grain of randomness and the fact that Stantinko’s operators compile this module for each new victim, each sample of the module is unique”, — report ESET specialists.
In addition, as it is based on the open source miner xmr-stak CoinMiner.Stantinko, it does not communicate with the mining pool directly, but through proxy servers, and receives their IP addresses from the video description on YouTube. Researchers recall that the Casbaneiro banker previously used a similar tactic.
CoinMiner.Stantinko is able to suspend other, competing crypto mining applications.
Stantinko can also detect security software. The malware also scans running processes to find security software.
Interestingly, the Trojan is able to quite cunningly suspend the cryptocurrency mining process.
“CoinMiner.Stantinko temporarily suspends mining if it detects that there’s no power supply connected to the machine. This measure, evidently aimed at portable computers, prevents fast battery draining … which might raise the user’s suspicion”, — say ESET researchers.
Researchers conclude that Stantinko continues to evolve and is unlikely to stop in the nearest future. Therefore, the module for mining is not the only innovation at all. For example, earlier, the malware “learned” to carry out dictionary attacks against sites based on Joomla and WordPress, aimed at collecting credentials. Probably, this data was resold to other criminals.