Stantinko Botnet Description
The Stantinko Botnet is known to have been active since 2012. The cyber crooks behind it have somehow managed to keep this botnet active for seven years, which is rather impressive. It would appear that most of the systems, which are a part of the Stantinko Botnet, are located in ex-Soviet countries – Russia, Ukraine, Belarus, Kazakhstan, etc. It has been estimated that the Stantinko Botnet consists of over 500,000 compromised machines. Most botnets are used for DDoS (Distributed-Denial-of-Service) attacks. However, what is interesting about the Stantinko Botnet is that despite its large size, this botnet is yet to be employed for a DDoS attack. Instead, the operators of the Stantinko Botnet have used it in various other campaigns, including mass spam emails, collecting sensitive data, bogus ad clicks, fraud, etc.
The Stantinko Botnet is Used for Mining Monero
Recently, the operators of the Stantinko Botnet have opted to add cryptocurrency mining to their list of tasks. They are using a cryptocurrency miner that is built thanks to an open-source project that the attackers have altered slightly. Most threats of this type are based on XMRig, but the operators of the Stantinko Botnet have instead chosen to modify and use the 'xmr-stak' project. The miner utilized by the Stantinko Botnet serves to mine the Monero cryptocurrency. The operators of the Stantinko Botnet have made sure to obfuscate the mining module heavily to make dissecting it far more complex.
Grabs the IP Addresses from YouTube Video Descriptions
Another obfuscation trick used by the operators of the Stantinko Botnet is the communication method used in its campaigns. Instead of utilizing a fixed mining pool, the creators of the Stantinko Botnet have opted to grab the IP addresses from the descriptions of various YouTube videos that they upload on the platform. Of course, the addresses that the Stantinko Botnet uses are not available readily but have to be decoded first.
To ensure that their malware is using all the computing power of the compromised host, the authors of this threat have included a feature, which is capable of detecting any other cryptocurrency miner that may be present on the system. If there is another miner detected, the malware used by the creators of the Stantinko Botnet will terminate it. It would appear that the operators of the Stantinko Botnet also have implemented a self-preservation technique to their cryptomining module. The miner is capable of determining whether the user has launched the Windows Task Manager, and if they have, the mining module will cease its activity. This is done to avoid being spotted by the victim, as it will be evident that something is wrong when the user sees how much CPU is being used. This clever trick makes spotting the activity of the cryptocurrency miner far more difficult to spot and makes it more likely for the threat to continue operating for a longer period. The Stantinko Botnet also is able to spot any anti-malware application that may be present on the compromised machine. However, interestingly enough, there are no measures taken to hide the harmful activity of the threat even if there is anti-virus software on the infected host.
The shady individuals behind the Stantinko Botnet are doing a good job expanding their network and remaining active, even after operating for seven years. The Stantinko Botnet has great potential to cause some serious trouble, and after being active for so long, it is unlikely that the criminals operating this botnet have any intentions of ceasing activity any time soon.
Do You Suspect Your PC May Be Infected with Stantinko Botnet & Other Threats? Scan Your PC with SpyHunterSpyHunter is a powerful malware remediation and protection tool designed to help provide PC users with in-depth system security analysis, detection and removal of a wide range of threats like Stantinko Botnet as well as a one-on-one tech support service. Download SpyHunter's FREE Malware Remover
Security Doesn't Let You Download SpyHunter or Access the Internet?Solutions: Your computer may have malware hiding in memory that prevents any program, including SpyHunter, from executing on your computer. Follow to download SpyHunter and gain access to the Internet:
- Use an alternative browser. Malware may disable your browser. If you're using IE, for example, and having problems downloading SpyHunter, you should open Firefox, Chrome or Safari browser instead.
- Use a removable media. Download SpyHunter on another clean computer, burn it to a USB flash drive, DVD/CD, or any preferred removable media, then install it on your infected computer and run SpyHunter's malware scanner.
- Start Windows in Safe Mode. If you can not access your Window's desktop, reboot your computer in "Safe Mode with Networking" and install SpyHunter in Safe Mode.
- IE Users: Disable proxy server for Internet Explorer to browse the web with Internet Explorer or update your anti-spyware program. Malware modifies your Windows settings to use a proxy server to prevent you from browsing the web with IE.