The crooks behind the Stantinko botnet are mining Monero using YouTube, it has been reported.
Researchers from IT security firm ESET discovered the criminals are distributing a Monero-mining module – CoinMiner.Stantinko – to the computers they control.
The operators of the Stantinko botnet, who control roughly half a million computers and have been active since at least 2012, mainly target users in Russia, Ukraine, Belarus, and Kazakhstan – but now they have expanded into a new business model.
To hide its communication, the module doesn’t communicate with its mining pool directly, but via proxies whose IP addresses are acquired from the description text of YouTube videos.
ESET says it informed YouTube of this abuse and all the channels with these videos were taken down.
Vladislav Hrčka, the ESET malware analyst who conducted the research, said: “After years of relying on click fraud, ad injection, social network fraud, and credential stealing, Stantinko has started to mine Monero.
“Since at least August 2018, its operators have been distributing a cryptomining module to the computers they control.
After years of relying on click fraud, ad injection, social network fraud and credential stealing, #Stantinko botnet has started to mine #Monero. Today, #ESETresearch dives deeper into Stantinko's new #cryptomining business model. https://t.co/yZkXtojgYM pic.twitter.com/od7rBMxyeO
— ESET Research (@ESETresearch) November 26, 2019
This module’s most notable feature is the way it is obfuscated to thwart analysis and avoid detection.
“Due to the use of source-level obfuscations with a grain of randomness, and the fact that Stantinko’s operators compile this module for each new victim, each sample of the module is unique,” added Hrčka.
CoinMiner.Stantinko employs some interesting tricks to avoid detection, ESET claims.
To prevent raising the suspicion of victims, CoinMiner.Stantinko suspends the cryptomining function if the PC is on battery power or when a task manager is detected.
It also checks to see if other cryptomining applications are running on the computer and eventually suspends them. CoinMiner.Stantinko also scans running processes to find security software.
“While CoinMiner.Stantinko is far from being the most dangerous malware out there, it’s annoying, to say the least, to have the computer busy making money for criminals,” Hrčka said.
“More alarming should be the fact that at any point of time, Stantinko could serve the victims’ computers with any other – possibly damaging – malware.”
Disclaimer: The views and opinions expressed by the author should not be considered as financial advice. We do not give advice on financial products.