[ad_1]
The cybercriminals behind the cryptocurrency mining botnet Stantinko have come up with some ingenious methods to evade detection.
Malware analyst Vladislav Hrčka of cybersecurity firm ESET was almost impressed when he unveiled the company’s latest findings and potential countermeasures in a blog post. “The criminals behind the Stantinko botnet are constantly improving and developing new modules that often contain interesting and non-standard techniques,” he wrote.
The half million botnets have been active since 2012 and were spread via malware embedded in pirated content. It mainly targets users in Russia, Ukraine, Belarus and Kazakhstan. It initially focused on click fraud, ad injection, social network fraud, and password theft attacks. However, in mid-2018, it added cryptocurrency mining to its arsenal with the Monero mining module.
Task Manager won’t help you
The module has components that detect security software and stop all competing crypto mining operations. The power-hungry module depletes most of a compromised machine’s resources, but cleverly suspends mining to avoid detection the moment a user opens Task Manager to find out why the PC is running so slowly.
CoinMiner.Stantinko does not communicate directly with the mining pool, but instead uses proxies whose IP addresses are captured from the description text of the YouTube videos.
Constant refinement techniques
ESET released its first report on the crypto mining module in November last year, but new techniques have since been added to evade detection, including:
- String obfuscation: Meaningful strings are constructed and present in memory only when they need to be used
- Dead Strings and Resources: Adding resources and strings without impacting functionality
- Control flow obfuscation: transforming the flow of control into a form that is difficult to read and makes the order of execution of the basic blocks unpredictable
- Dead code: code that never runs, whose sole purpose is to make files more legitimate
- Code Do Nothing: Adding code that runs but does nothing. This is one way to bypass behavioral detections
In the November report, Hrčka observed:
“The most notable feature of this module is the way it is obfuscated to hinder analysis and avoid detection. Due to the use of source-level obfuscation with a bit of randomness and the fact that Stantinko operators fill out this form for each new victim, each sample of the form is unique. “
Web-based crypto jacking decreases after Coinhive’s shutdown
In related news, researchers from the University of Cincinnati and Lakehead University in Ontario, Canada this week released a paper titled, “Is Cryptojacking Dead After Coinhive Arrest?”
The Coinhive script was installed on websites and, openly or covertly, mined Monero, until a sharp drop in Monero’s price during the “ crypto winter ” made it unprofitable and the operation was halted. .
The researchers checked 2,770 websites that had previously been identified as running crypto mining scripts to see if they were still infected. While only 1% actively mined cryptocurrency, another 11.6% were still running Coinhive scripts trying to connect to the dead servers of the operation.
The researchers concluded:
“Cryptojacking did not end after Coinhive closed. It is still alive but not as attractive as before. It has become less attractive not only because Coinhive has discontinued its service, but also because it has become a less profitable source of income for owners. of websites. For most sites, ads are even more profitable than mining. “
