Hundreds of botnets operate internationally to achieve various malicious objectives.
One such botnet named Stantinko which has been operating since 2012 in countries such as Russia, Ukraine, Belarus, and Kazakhstan controls over half a million computers globally.
In its latest update, it has added a new capability of cryptomining making use of the highly anonymized cryptocurrency Monero creating a new profitable revenue stream.
Although, before this, it still was utilizing Monero for cashing in money through other tactics such as click fraud and ad injection, it is the first time that it has sought to earn money directly through it.
The module as discovered by a software security firm named Eset is being distributed through YouTube.
It is reported to be a modified version of an open-source cryptominer called xmr-stak.
To avoid detection, all unnecessary components were removed with the remaining ones “heavily obfuscated”.
Additionally, the miner does not even communicate in any direct manner with its compromised mining pool but instead uses proxies “whose IP addresses are acquired from the description text of YouTube videos.”
Yet, they are not the first of attackers to use such tactics. A banking malware named Casbaneiro has also been known to store encrypted C&Cs by concealing the text within descriptions.
One of the videos used in the scam.
Unlike the rest of CoinMiner.Stantinko, the hashing algorithm isn’t obfuscated, since obfuscation would significantly impair the speed of hash calculation and hence overall performance and profitability.
However, the authors still made sure not to leave any meaningful strings or artifacts behind, ESET said in a blog post.
The good news is that upon informing YouTube, all such videos were taken down. However, the botnet has already infected 500,000 devices leaving a lot of users vulnerable.
As common with cryptomining, these users can expect a significant lag on their computer speed with the high unauthorized usage of processing power resulting in so.
These may look innocuous to the user as high usage is well concealed under the guise of legitimate task names but in actuality, the case is very different.
It is worth noting that this is not the first time when YouTube has been used for malicious purposes.
In fact, in January last year, hackers were caught using YouTube ads to mine Monero coins.
In March last year, a Russian anti-virus vendor reported that hackers were using YouTube’s comment section to infect users with password stealer malware.
Nonetheless, as with everything, precautions along with certain solutions can also be implemented to break free of such attacks.
Firstly, one should have good anti-virus software because as seen above, even legitimate sites can end up infecting you.
And so the only wall between your computer and that malware would be that anti-virus software whose use can end up saving you through timely detection.
Secondly, if your computer happens to be unusually slow, this could be a good hint that something is wrong and you may want to investigate further. Not all attacks may be guarded against a couple of simple steps but the ratio of being compromised is indeed greatly reduced.
How does the Botnet mine Cryptocurrency?
The crypto mining module of the botnet is extremely a modified version of xmr-stak, which is an open-source crypto miner, according to the researchers.
Moreover, researchers also pointed out that the creators have also detached the functionality from malware to evade detection. Nevertheless, the rest of the functionalities and strings have become completely obfuscated. The ESET security products have detected the malware as Win{32,64}/CoinMiner.Stantinko.
The most exciting part of the botnet is CoinMiner.Stantinko doesn’t entirely communicate efficiently with the mining pool. On the other hand, the botnet uses different proxies and later acquires the IP addresses from YouTube videos’ description text.
Even before the report became mainstream, ESET had already provided YouTube of the unprecedented abuse. The channels which contain the infected videos have been taken down by the people on YouTube.
The researchers have pointed out that the core of the crypto mining functionality comprises hashing alongside communication made with proxy. CoinMiner.Stantinko has also set the connection with the first-ever mining proxy, which comes to life.
Later, the code, which includes a hashing algorithm, which gets downloaded directly from mining proxy when the communication first begins. Then, it is loaded directly into memory.
Once they have downloaded the conventional hashing code with every execution, the operators of Stantinko immediately change the system without a hassle. With the help of this change, it becomes possible for the botnet to adapt to the algorithm’s adjustment in currencies. Later the botnet switches to mine other cryptocurrencies.
In the end, it mines the most profitable cryptocurrency during the execution time.
As the module’s core part is downloaded from a remote server, it is loaded in the memory; in turn, the code doesn’t get stored on a physical disk. Given that the adjustment is complicated, the detection of the botnet is almost impossible.
