The Stantinko Botnet is known to have been active since 2012. The cyber crooks behind it have somehow managed to keep this botnet active for seven years, which is rather impressive. It would appear that most of the systems, which are a part of the Stantinko Botnet, are located in ex-Soviet countries – Russia, Ukraine, Belarus, Kazakhstan, etc. It has been estimated that the Stantinko Botnet consists of over 500,000 compromised machines. Most botnets are used for DDoS (Distributed-Denial-of-Service) attacks. However, what is interesting about the Stantinko Botnet is that despite its large size, this botnet is yet to be employed for a DDoS attack. Instead, the operators of the Stantinko Botnet have used it in various other campaigns, including mass spam emails, collecting sensitive data, bogus ad clicks, fraud, etc.
Table of Contents
The Stantinko Botnet is Used for Mining Monero
Recently, the operators of the Stantinko Botnet have opted to add cryptocurrency mining to their list of tasks. They are using a cryptocurrency miner that is built thanks to an open-source project that the attackers have altered slightly. Most threats of this type are based on XMRig, but the operators of the Stantinko Botnet have instead chosen to modify and use the 'xmr-stak' project. The miner utilized by the Stantinko Botnet serves to mine the Monero cryptocurrency. The operators of the Stantinko Botnet have made sure to obfuscate the mining module heavily to make dissecting it far more complex.
Grabs the IP Addresses from YouTube Video Descriptions
Another obfuscation trick used by the operators of the Stantinko Botnet is the communication method used in its campaigns. Instead of utilizing a fixed mining pool, the creators of the Stantinko Botnet have opted to grab the IP addresses from the descriptions of various YouTube videos that they upload on the platform. Of course, the addresses that the Stantinko Botnet uses are not available readily but have to be decoded first.
To ensure that their malware is using all the computing power of the compromised host, the authors of this threat have included a feature, which is capable of detecting any other cryptocurrency miner that may be present on the system. If there is another miner detected, the malware used by the creators of the Stantinko Botnet will terminate it. It would appear that the operators of the Stantinko Botnet also have implemented a self-preservation technique to their cryptomining module. The miner is capable of determining whether the user has launched the Windows Task Manager, and if they have, the mining module will cease its activity. This is done to avoid being spotted by the victim, as it will be evident that something is wrong when the user sees how much CPU is being used. This clever trick makes spotting the activity of the cryptocurrency miner far more difficult to spot and makes it more likely for the threat to continue operating for a longer period. The Stantinko Botnet also is able to spot any anti-malware application that may be present on the compromised machine. However, interestingly enough, there are no measures taken to hide the harmful activity of the threat even if there is anti-virus software on the infected host.
The shady individuals behind the Stantinko Botnet are doing a good job expanding their network and remaining active, even after operating for seven years. The Stantinko Botnet has great potential to cause some serious trouble, and after being active for so long, it is unlikely that the criminals operating this botnet have any intentions of ceasing activity any time soon.