The group of cybercriminals responsible for the crypto mining botnet, Stantinko, has recently devised some rather effective methods in order to keep themselves safe and undetected.
Showing Due Respect To Threats
Vladislav Hrčka, a malware analyst from the ESET cybersecurity firm, couldn’t help but show how impressed he was as he revealed the latest findings of his security firm. Through a recent blogpost, they discovered, and proposed countermeasures to the Tantinko botnet, which Hrčka stated was continually improving and developing new modules. These modules, according to Hrčka, lead to fascinating, unconventional techniques that the botnet uses to stay hidden.
The botnet, standing at 500,000 strong, has been within the cyber arena since 2019, spreading through malware that gets embedded into pirated content. For the most part, it targets users within Ukraine, Belarus, Russia, and Kazakhstan.
Back in its early days, the botnet focused on ad injection, click fraud, password stealing, and social network fraud. However, during the mid-2018’s they added crypto mining to their list of actions, primarily through a Monero mining module.
Downright Cheeky Countermeasures
The module itself has components capable of detecting security software, as well as being capable of shutting down any crypto mining operation that would compete. The compromised machine will have all of its resources exhausted by the hungry module.
However, the module manages to suspend its crypto mining the moment it detects a user opening task manager. The move is rather cheeky and leaves the user unwitting over what’s eating all of their processing power.
CoinMiner.Stantinko itself doesn’t even communicate with the pool directly. Instead, the module leverages proxies, the IP addresses of which they acquire through description texts of Youtube videos. In any way you look at it, that’s a pretty unique way of doing things.
Rising To The Challenges
ESET had made its first report in regard to this mining module in early November of last year. However, Stantinko has subsequently picked up new techniques in order to avoid detection from security software. This includes the obfuscation of strings in such a way that they are only present within the memory and adding resources and strings that hold no impact on functionality.
Furthermore, they can obfuscate the control flow into a hard to read format, which makes the execution order of basic blocks unpredictable as well. They add dead code that never gets executed but instead try to add legitimacy to the program’s appearance. Lastly, they implement code that does executive, but ultimately does nothing, in a bid to escape behavioral detections.