BSV
$54.38
Vol 31.85m
0.18%
BTC
$95792
Vol 51914.15m
-1.32%
BCH
$444.34
Vol 317.96m
-2.65%
LTC
$102.14
Vol 755.63m
-1.14%
DOGE
$0.31
Vol 4340.53m
-2.39%
Getting your Trinity Audio player ready...

A botnet that has previously focused on click fraud has now turned to cryptocurrency mining. Known as Stantinko, the bot has been active since 2012, but it started mining crypto last year. To avoid detection, Stantinko has been using proxies whose IP addresses it posts on YouTube.

Security researchers from cybersecurity firm ESET discovered the botnet years ago. However, back then, it performed click fraud, social network fraud and ad injection to earn the cybercriminals money. It would also steal passwords from its victims.

However, since at least August 2018, the botnet has taken to crypto mining, the researchers revealed in a recent report. Its crypto mining module is a modified version of xmr-stak, an open source Monero miner. The criminals stripped down most of the functionalities of the miner in an attempt to evade detection. Security software detect the malware as Win{32,64}/CoinMiner.Stantinko.

Its most defining character, however, is its use of YouTube to evade detection. CoinMiner.Stantinko doesn’t communicate with its mining pool directly. Instead, it uses proxies whose IP addresses are acquired from the description text of YouTube videos.

ESET security experts informed YouTube of the abuse and the firm took down all channels containing these videos.

To increase effectiveness, Stantinko enumerates all the running processes in the infected host, and if any other crypto miners are found, it shuts them down. The botnet has also put in place some measures that are meant to prevent detection by the host. For one, it suspends all mining operations once a task manager application is launched. The report further revealed:

“CoinMiner.Stantinko temporarily suspends mining if it detects there’s no power supply connected to the machine. This measure, evidently aimed at portable computers, prevents fast battery draining … which might raise the user’s suspicion.”

While the criminals have taken every step to obfuscate CoinMiner.Stantinko, it’s different with the hashing algorithm. The report explained, “Unlike the rest of CoinMiner.Stantinko, the hashing algorithm isn’t obfuscated, since obfuscation would significantly impair the speed of hash calculation and hence overall performance and profitability. However, the authors still made sure not to leave any meaningful strings or artifacts behind.”

The researchers believe that Stantinko has infected over 500,000 machines globally. However, its main targets are machines in Ukraine, Russia, Kazakhstan and Belarus.

Recommended for you

Google unveils ‘Willow’; Bernstein downplays quantum threat to Bitcoin
Google claims that Willow can eliminate common errors associated with quantum computing, while Bernstein analysts noted that Willow’s 105 qubits...
December 18, 2024
WhatsOnChain adds support for 1Sat Ordinals with new API set
WhatsOnChain now supports the 1Sat Ordinals with a set of APIs in beta testing; with this new development, developers can...
December 13, 2024
Advertisement
Advertisement
Advertisement