Researchers from ESET are having difficulties in differentiating whether it is part of adware or spyware, because of Nature of Stantinko’s was injecting various ads into browser extensions such as Teddy Protection and The Safe Surfing.
On Nov. 26, Eset announced that Stantinko botnet operators had broaden their criminal cyber activity scope from click fraud, ad injection, social network abuse and password-stealing and recently adding tools for the deployment of crypto malware on victims computers using Youtube.
STANTINKO HAS BEEN AROUND SINCE 2012
The Stantinko botnet, which has operated since at least 2012 and is mainly target mostly aimed net users from Russia, Ukraine, Belarus and Kazakhstan. This cryptocurrency malware is estimated had compromised about 500,000 device from around the world as noted and is close to the Dexphot Malware found by Microsoft that has already infected more than 80,000 computers.
Such crypto-hijacking code snatching and seize computer resource appear as a legal operating system with hiding nefarious activity goal of operating a crypto miner on compromised device. Most remarkable feature of the module is that it obscures its algorithm for thwarting the analysis and avoid detection as the botnet operators use an obscure source code along a miniature level of randomness
Stantiko can execute certain attack, such as searches, filling out forms, signing up email lists that you’re unaware of, and allowing other backdoor activities. The backdoor has a loader to execute any executable, allowing the threat operators to execute any code on the thousands of machines that belong to this botnet.
What makes Stantinko dangerous, because it could interject bot to your google search engines and is able to brute force and infect websites that are using Wordpress or Joomla.
As explained by welivesecurity, Stantinko stands out in the way it circumvents antivirus detection and thwarts reverse engineering efforts to determine if it exhibits malicious behavior. To do so, its authors make sure multiple parts are needed to conduct a complete analysis.
There are always two components involved: a loader and an encrypted component. The malicious code is concealed in the encrypted component that resides either on the disk or in the Windows Registry. This code is loaded and decrypted by a benign-looking executable. The key to decrypt this code is generated on a per-infection basis. Some components use the bot identifier and others use the volume serial number from its victim PC’s hard drive.
Making reliable detection based on the non-encrypted components is a very difficult task, since artifacts residing on the disk do not expose malicious behavior until they’re executed.