Home Malware Programs Botnets Stantinko Botnet

Stantinko Botnet

Posted: November 27, 2019

The Stantinko Botnet is a Trojan network of compromised computers that can be put to various purposes, including, currently, cryptocurrency-mining. Additional dangers include fraudulent or threatening abuse of Web advertising content and the loss of login credentials like passwords. Since individual Trojans in the network use various means of avoiding detection, users should update and run trustworthy anti-malware services for removing a Stantinko Botnet infection as needed.

A Botnet Collecting Coins by Whatever Means Necessary

The Stantinko Botnet is one of the older examples of an operating botnet or decentralized Trojan network of compromised computers, phones and IoT devices. While it's categorizable as more aggressive than its much younger competitor in crypto-mining crimes safely, Dexphot, it retains significance for various stealth and dynamic programming attributes. For victims, though, the Stantinko Botnet infections are little different from those of other cryptocurrency-mining Trojans, except for the other dangers they bring to the table.

Pre-2018 infections involving the Stantinko Botnet falsified Web traffic, injected advertisements, and collected passwords for creating profits for the botnet's administrators. Throughout 2018 and 2019, however, the Stantinko Botnet is leaning into a different tactic: generating Monero cryptocurrency. The non-consensual mining operation uses xmr-stak: software that malware experts trace back to the open-source GitHub website. However, the criminals are running a heavily-updated version of the program as their module. This fork has many deleted elements (for evasion purposes).

Some of the other traits that the Stantinko Botnet has of historical note include misusing the Youtube website for part of its C&C network – via text in video descriptions – and advanced obfuscation particularly. The use of a third-party service is a vulnerability for the botnet, and Youtube has taken action for removing associated videos. However, the technique remains reliable enough that the Stantinko Botnet is just one of several botnets employing similar strategies, such as the MasterMana Botnet's abuse of Pastebin.

Exploring the Depths to which a Coin Miner will Sink

The Stantinko Botnet's pivot towards illicit Monero hoarding comes with more than just a change of a final-stage payload. Current versions of the Stantinko Botnet's Trojans also provide various supporting functionalities that maximize their profiteering potential, including:

  • The Stantinko Botnet uses some relatively-simple, but effective, ways of avoiding detection by the users. It disables the Monero-mining feature whenever the system has no power supply, which prevents it from draining batteries excessively. It also turns the feature off if it identifies processes related to memory-monitoring tools – most typically, the Windows Task Manager.
  • Previous attacks using the Stantinko Botnet are notable for misusing the AVZ Antiviral Toolkit for removing competitors' software. Now, the botnet includes more specific measures for countering crypto-mining Trojans, including, ironically, the same xmr-stak project that provided its mining code. The process-terminating feature is string-based and also includes the highly-popular XMRig.
  • Additionally, the Trojan detects memory-active security programs and memory utilities. It compiles a list of them according to hard-coded checksum information, which is less identifiable than searching by names. The threat actors likely retrieve this information later, possibly, through another module.

Many components of the Stantinko Botnet aren't files on the local disk, which heightens its undetectability. Users should keep their anti-malware services updated for detecting and deleting the Stantinko Botnet's Trojans and modular elements from compromised systems.

The Stantinko Botnet is a mainstay of the threat landscape in Russia and neighboring countries, but, by no means, is exclusive to them. Without paying the proper mind to cyber-security practices, it's likely to continue to put coins in its masters' pockets for years to come.

Loading...