ESES researchers alert that Stantinko – a huge botnet which hasn’t been detected for the past five years – is now not only back but it also managed to infect half a million systems and allow its developers to “execute anything” on the infected machine.
The botnet was used for a massive adware campaign in 2012 that was primarily targeting Ukraine and Russia. However, thanks to its ability to adapt really quickly and avoid detection as well as the code encryption, Stantinko managed to stay under the radar all this time.
The individuals behind Stantinko use the FileTour application to target users looking for pirated software. FileTour is their initial infection vector as it installs a series of programs on the targeted machine while also installing the Stantinko botnet in the background. Stantinko, in turn, installs browsers extensions which inject the infected browsers with ads and perform click fraud. However, it can also be used to execute other operations such as searches on Google, brute-force attacks on WordPress administrator panel and Joomla, and backdoor activities.
After the infection, Stantinko also installs two malicious Windows services, each one of which is able to reinstall the other if it is deleted. That’s why a successful removal requires both services to be deleted at the same time. Otherwise, the Command and Control server will provide a new version of the removed service.
The browser extensions the botnet installs are Teddy Protection and The Safe Surfing. Both are advertised as legitimate applications that block unwanted URLs and are distributed through the Chrome Web Store. Once they are installed by Stantinko, however, the extensions receive a configuration to perform ad injection and click fraud.
The researchers also add that Stantinko is a modular backdoor which includes a loader to execute any executable that the C&C sends. Thanks to Stantinko`s flexible plugin systems, the botnet`s operators are able to execute basically any code on the victim`s machine.
The plugin system includes:
- Search Parser which performs massive Google searches looking for Joomla and WordPress websites and uses compromised Joomla websites as C&C servers.
- Remote Administrator – a backdoor able to performs a wide range of operations like reconnaissance and data exfiltration.
- Brute-force which performs distributed dictionary-based attacks on WordPress and Joomla administrative panels.
- Facebook Bot which is able to operate on Facebook and perform various actions like creating accounts, adding friends, liking pages and pictures, etc.
Stantinko`s owners are mainly trying to earn revenue through click fraud and, according to experts, they are also very close to the advertisers as victims would sometimes land directly on the advertiser`s website right after the Stantinko-owned ad network.
“On the other hand, traditional click-fraud malware relies on a series of redirections between several ad networks to launder their malicious traffic. This shows that not only are the Stantinko operators able to develop highly stealthy malware, but they are also able to abuse the traditional ad-serving economy without getting caught.” – ESET points out.
Moreover, the malware`s operators are also trying to access WordPress and Joomla`s websites` administrative accounts and sell their logins on the underground market. The crooks also take advantage of the Facebook bot, engaging in social network scams.
“Even though it isn’t noticeable to the user, due to the absence of CPU intensive tasks, Stantinko is a major threat, as it provides a large source of fraudulent revenue to cybercriminals. Moreover, the presence of a fully featured backdoor allows the operators to spy on all the victimized machines.” – the security researchers add.
