Stantinko Botnet Masterminds Use YouTube to Mine Cryptocurrencies Undetected
Stantinko botnet has been mining cryptocurrencies via YouTube to avoid being detected. Over 500,000 devices globally have been infected with malware. Botnet masterminds are dispensing a crypto mining tool customized to mine Monero, and other digital coins.
The botnet targets the Ukraine, Kazakhstan, Russia, and Belarus regions. The malware then uses different methods to generate funds, among them, being password cracking, ad injections, click fraud, and social media scams.
The malware obfuscates itself to ruin analysis and avoids being detected according to research conducted by ESET. The obfuscations are done randomly, with each Stantinko module being unique for every single victim's device.
The research by ESET also observed that the cryptocurrency mining malware is a hybrid version of the open-source xmr-stak crypto miner. To make sure they are undetectable, botnet gurus have removed some functions from the malware that would lead to being easily detected.
ESET security detected the malware as CoinMiner.Stantinko or Win(32/64) and this malware does not communicate expressly to the mining pool but through proxies with IP addresses from description texts of YouTube videos. This is followed by downloading the hashing algorithms code from the crypto mining proxy, which is then stored in memory. ESET said it had informed YouTube of these space abuse, and the company has recalled all channels harboring the videos.
The hashing codes can be changed during each download, making it easy for the Botnet team to adjust algorithms for currencies and switching to mining other profitable cryptocurrencies, according to the ESET researchers.
“When the module is downloaded from a remote server and loaded expressly into memory, the core part of the module is never stored in the disk. That process complicates the detection process as algorithms patterns are difficult to detect,” reported the researchers.
ESET has established that the hashing algorithm for CoinMiner.Stantinko is CryptoNight R. This cryptocurrency mining module has been used to mine coin Monero. However, there are other cryptocurrencies that use the same algorithm.
“The hashing algorithm is the only part of the CoinMiner.Stantinko that remains without being obfuscated because that would cause slow hash calculation speeding leading to low profits.”