Stantinko Botnet Plays Behind the Veils of YouTube to Mine Cryptocurrency

Akhilesh Agnihotri
Akhilesh is an engineer and research subordinate working with thecoinrepublic.com as a part of the research team and do research work on Cryptocurrency and Blockchain. His curiosity in research and writing brings him to thecoinrepublic.com, He believes writing is all about expressing the thoughts with words and spread information backed by well-researched work.

Stantinko Botnet Plays Behind the Veils of  YouTube to Mine Cryptocurrency

  • The program which is claimed to have affected several devices globally has engaged in crypto mining through behind the screens of Youtube.
  • Stantinko’s operators compile source-level obfuscations while attacking each victim, whereby creating a unique module in each attack.
  • CoinMiner.Stantinko makes the communication with the first mining proxy it finds alive.

Stantinko Botnet is an enormous module which is mainly utilized to install browser extensions which in turn are used to inject ad and perform click fraud to the infected computers.

As claimed by several researchers this malware could be used to take full control of the target systems eventually allowing cyber attackers to conduct various malicious activities

The present attack

The program which is claimed to have affected several devices globally has engaged in crypto mining through behind the screens of Youtube. The Botnet’s operators are presently aiming privacy-focused coin Monero, based on a report from ESET, a Cybersecurity Solution Provider.

The botnet has engaged in several other illegal activities to produce income including ad injection, click fraud, password-stealing attacks, and social network fraud. Some of their important Targets include users in Russia, Ukraine, Belarus and Kazakhstan from 2012, the period from which it is reported to be active.

ESET added that the module has the ability to confuse itself and prevent the same from detection. Stantinko’s operators compile source-level obfuscations while attacking each victim, whereby creating a unique module in each attack.

The researchers from ESSET also opined that Botnet’s Module can be classified as an advanced version of the xmr-stak open-source crypto miner. Modifications have been made in such a way to avoid any detections.

Apart from that, they added that ESET’s security products detect Malware as Win{32,64}/CoinMiner.Stantinko, which uses proxies whose IP addresses are obtained from YouTube Videos though they don’t communicate with the Mining pool directly.

However, at present, all the YouTube channels containing such videos are taken down based on the instructions of ESET.

CoinMiner.Stantinko makes the communication with the first mining proxy it finds alive. After which the hashing algorithm is downloaded from the mining proxy at the beginning of the communication which in turn is loaded into the memory.

The Stantinko group is able to vary this code in the process with each execution by downloading the hashing code

It is these changes that provide the module the capability to adapt to the variations in the algorithm of existing currencies and subsequently switch to mining other profitable cryptocurrencies.

Since the core of the module is downloaded and loaded directly into the memory, the part of the code is not saved in a Hard disk. This again is the method adopted to avoid detection by creating complications in the pattern of an algorithm.

At present, all moves of the Stantinko’s crypto mining module aims to mine Monero, based on the conclusion of an analysis made by the researchers of ESSET which came to such conclusions based on the jobs allotted by the mining proxy and the hashing algorithm.

The analysis revealed the usage of a hashing algorithm known as CryptoNight R, which however was of no use for the reason the same was a common algorithm used in most of the cryptocurrencies.

However, since obfuscation would affect the efficiency of the hash calculations, the hash algorithms are not obfuscated when compared to the rest of CoinMiner.Stantinko.

Prevention is better than cure

As stated above since this malware has the capability to have control over an entire computer, such systems will eventually have control over various advancements, whereby the dark sides of this such developments are used to favor the needs of such attackers.

We Recomaned

Top Rated Trading Platforms

Top Rated Cryptocurrency Exchange

Partners