Stantinko, the popular malware group that’s infamous for infecting at least half a million computer around the world, has now added a new technique into its portfolio. The fraudsters are found to be leveraging YouTube’s description to communicate and mine cryptocurrency to benefit.

The Multi-Purpose Module

Security researchers at ESET have surfaced this fact initially and detailed on their blog. The group, Stantinko has been infamous for ad injections, password stealings, click baits and affecting countries like Russia, Ukraine, Belarus etc for its revenue. Since its inception in 2012, it’s estimated to have infected more than 500,000 systems worldwide.

Stantinko Botnet is Now Mining Cryptocurrency Through YouTube
Image by Pxfuel

With that record, Stantinko is now found mining cryptocurrencies using victims computational resources. Though this may seem common these days, Stantinko methods of obfuscation are highly appreciated for hiding from detections, and what made them notable.

The module it dumps is said to be a highly modified version of xmr-stak, Where Stantinko has a crypto miner to mint coins, a detecting software to alert the mining process, a suspender of operations if something found suspicious and to kill other competing cryptominers. The package was delivered and communicates with attackers via YouTube’s description based algorithms! Clever isn’t it?

Leveraging YouTube Descriptions

At the core of crypto mining, there’s a process of hashing where the miner (CoinMiner.Stantinko) communicates with the attacker indirectly through proxies. These proxies are taken from YouTube’s description.

This was later informed to YouTube and it’s taken down. Here, it downloads the hashing algorithm and stores it in disk for future operations like changing it to adapt mining for a better cryptocurrency. And storing this algorithm in the disk makes it hard for detection by antivirus softwares.

Researchers said, “The remaining strings and functions are heavily obfuscated. ESET security products detect this malware as Win{32,64}/CoinMiner.Stantinko. Due to the use of source-level obfuscations with a grain of randomness and the fact that Stantinko’s operators compile this module for each new victim, each sample of the module is unique.”

Aside from doing this, detectors are placed for finding antivirus softwares to hide and to alert when the PC battery power is disconnected or task manager is run to avoid suspicion from the victim.

Source – WeLiveSecurity

LEAVE A REPLY

Please enter your comment!
Please enter your name here