In 2017, ESET experts reported the discovery of the Stantinko botnet, which then specialized in advertising fraud. Already at that time, about 500,000 computers were infected with this malware, and most of the victims were in Russia (46%) and Ukraine (33%).
Researchers immediately described Stantinko as a complex and complex threat, active since at least 2012. Malvar is a modular trojan with backdoor functionality, and code encryption and self-defense mechanisms have allowed Stantinko operators to go unnoticed for many years.
Now ESET experts reportthat the still active Stantinko acquired a module for mining the Monero cryptocurrency, and CoinMiner.Stantinko became another way of earning for botnet operators.
The main distinguishing feature of the malware is the ability to carefully hide from detection due to the fact that Stantinko operators compile a unique module for each new victim. In addition, based on the open source miner xmr-stak CoinMiner.Stantinko, it does not communicate with the mining pool directly, but through proxy servers, whose IP addresses it receives from the video description on YouTube. Researchers recall that Casbaneiro banker previously used similar tactics.
CoinMiner.Stantinko is able to suspend the work of other competing crypto mining applications, detect security software, suspend the cryptocurrency mining process, where the device is running on battery power (prevents fast discharge) or a running task manager is detected.
Researchers conclude that Stantinko continues to evolve and is unlikely to stop in the near future. So, mogul for mining is not the only innovation at all. For example, earlier, the malware “learned” to carry out dictionary attacks against sites based on Joomla and WordPress, aimed at collecting credentials. Probably, then this data was resold to other criminals.