Ancient Botnet Discovered

Monday, July 24, 2017 @ 05:07 PM gHale

There is a botnet of over 500,000 infected machines engaged mostly in ad-related fraud that has been around for five years.

Compromised systems also come equipped with a backdoor that allows the operators to spy on victims, and to download additional malware on the computers, said researchers at ESET.

Mobile Ransomware Continues to Evolve
Botnet Switches Ransomware Brands
WannaCry Shuts Honda Plant
‘Hidden Cobra’ Warning Issued by Feds

Other items the Stantinko botnet does, includes:
• It targets mostly Russian and Ukrainian users
• Operators published two ad injection browser extensions on the Chrome Web Store, from which the infected machines would download and install
• Malicious code ends up concealed inside legitimate free and open source software modified and recompiled
• Stealthy operation has been active since 2012

The operators managed to keep their work mostly undetected because the make heavy use of code encryption and make reverse engineering efforts difficult by making sure multiple parts are needed to conduct a complete analysis.

“There are always two components involved: A loader and an encrypted component,” ESET reseachers said in a post. “The malicious code is concealed in the encrypted component that resides either on the disk or in the Windows Registry. This code is loaded and decrypted by a benign-looking executable.”

“The key to decrypt this code is generated on a per-infection basis. Some components use the bot identifier and others use the volume serial number from its victim PC’s hard drive. Making reliable detections based on the non-encrypted components is a very difficult task, since artifacts residing on the disk do not expose malicious behavior until they’re executed.”

To assure persistence, the threat installs two malicious Windows services – if one is found and uninstalled, the other will reinstall it.

The initial installation vector (dubbed FileTour) is usually posing as a torrent file for pirated software. Once the user runs the file, the malware installs several pieces of software, while in the background also installing the first malicious Windows service.

From that moment on, the malware downloads and installs two malicious Chrome extensions – “The Safe Surfing” and “Teddy Protection” – whose purpose is to inject advertisements or redirect users to specific sites when, for example, they search for something via the Russian search engine Rambler and click on one of the offered links.

The botnet operators are paid for the traffic they provide to advertisers, but that’s not their only source of revenue.

The Stantinko backdoor also features several plugins, which allow them to:
1. Perform massive distributed searches for Joomla and WordPress websites, and brute-force those installation’s admin panels (they probably sell on the compromised credentials)
2. Creating Facebook accounts, like pictures or pages, adding friends (prices are around $15 per 1000 Facebook likes)
3. Download additional malware, exfiltrate data, etc.

If you suspect your machine might be part of the botnet, you might want to search your computer for one of many Indicators of Compromise provided by ESET.

Leave a Reply

You must be logged in to post a comment.