Hundreds of botnets operate internationally to achieve various malicious objectives. One such botnet named Stantinko which has been operating since 2012 in countries such as Russia, Ukraine, Belarus, and Kazakhstan controls over half a million computers globally.
In its latest update, it has added a new capability of cryptomining making use of the highly anonymized cryptocurrency Monero creating a new profitable revenue stream. Although, before this, it still was utilizing Monero for cashing in money through other tactics such as click fraud and ad injection, it is the first time that it has sought to earn money directly through it.
The module was discovered by ESET, a software security firm, being distributed through YouTube. It is reported to be a modified version of an open-source cryptominer called xmr-stak. To avoid detection, all unnecessary components were removed with the remaining ones “heavily obfuscated”.
Additionally, the miner does not even communicate in any direct manner with its compromised mining pool but instead uses proxies “whose IP addresses are acquired from the description text of YouTube videos.” Yet, they are not the first of attackers to use such tactics. A banking malware named Casbaneiro has also been known to store encrypted C&Cs by concealing the text within descriptions.
Unlike the rest of CoinMiner.Stantinko, the hashing algorithm isn’t obfuscated, since obfuscation would significantly impair the speed of hash calculation and hence overall performance and profitability. However, the authors still made sure not to leave any meaningful strings or artifacts behind, ESET said in a blog post.
The good news is that upon informing YouTube, all such videos were taken down. However, the botnet has already infected 500,000 devices leaving a lot of users vulnerable. As common with cryptomining, these users can expect a significant lag on their computer speed with the high unauthorized usage of processing power resulting in so. These may look innocuous to the user as high usage is well concealed under the guise of legitimate task names but in actuality, the case is very different.
It is worth noting that this is not the first time when YouTube has been used for malicious purposes. In fact, in January last year, hackers were caught using YouTube ads to mine Monero coins. In March last year, a Russian anti-virus vendor reported that hackers were using YouTube’s comment section to infect users with password stealer malware.
Nonetheless, as with everything, precautions along with certain solutions can also be implemented to break free of such attacks. Firstly, one should have good anti-virus software because as seen above, even legitimate sites can end up infecting you. And so the only wall between your computer and that malware would be that anti-virus software whose use can end up saving you through timely detection.
Secondly, if your computer happens to be unusually slow, this could be a good hint that something is wrong and you may want to investigate further. Not all attacks may be guarded against a couple of simple steps but the ratio of being compromised is indeed greatly reduced.