ESET has investigated and identified a complex threat posed by a new strain of malware that has so far affected half a million users.
Dubbed as Stantinko, ESET’s latest white paper analyses this highly inconspicuous malware which tricks victims into downloading pirated software from fake torrent sites, and that has continually morphed to avoid detection for the last five years.
Targeting mainly Russian speakers, Stantinko is a network of bots which is monetised by installing browser extensions that inject fake ads while surfing the web. Once installed on a machine it can perform massive Google searches anonymously and create fake accounts on Facebook; with the capability to like pictures, pages and add friends.
A ‘Modular Backdoor’
Stantinko’s ability to evade anti-virus detection relies upon heavy obfuscation and hiding in plain sight inside code that looks legitimate, according to ESET.
Using advanced techniques, malicious code is hidden either encrypted in a file or in the Windows Registry. It is then decrypted using a key generated during the initial compromise. Its malicious behaviour can’t be detected until it receives new components from its command and control server, making it difficult to uncover.
Once a machine is infected, it installs two harmful Windows services that launch every time the system is started. “It is difficult to get rid of once you have it, as each component service has the ability to reinstall the other in case one of them is deleted from the system. To fully eliminate the problem, the user has to delete both services from their machine at the same time,” said Frédéric Vachon, Malware Researcher, ESET.
As soon as the malware is in the device it installs two browser plugins, both available on the Google Chrome Web Store – ‘The Safe Surfing’ and ‘Teddy Protection.’ “Both plugins were still available online during our analysis,” said Marc-Etienne Léveillé, Senior Malware Reseracher, ESET. “At first sight, they look like legitimate browser extensions and even have a website. However, when installed by Stantinko, the extensions receive a different configuration containing rules to perform click-fraud and ad injection.”
Once the malware has infiltrated, Stantinko’s operators can use flexible plugins to do anything they wish with the compromised system.
These include conducting massive anonymous searches to find Joomla and WordPress sites, performing brute force attacks on these sites, finding and stealing data, and creating fake accounts on Facebook.
How do Stantinko hackers make money?
Stantinko has the potential to be very lucrative as click fraud is a major source of revenue for hackers. Research conducted by White Ops and the Association of National Advertisers in the US estimated click fraud will cost businesses $6.5 billion this year alone.
Details of the sites victim to brute force attacks can also be sold on the underground market after it is compromised by Stantinko, which guesses the passwords by trying thousands of different credentials. Although ESET Researchers couldn’t witness the malicious activity on the social network, operators of Stantinko have a tool that allows them to perform fraud on Facebook, selling ‘likes’ to illegitimately capture the attention of unsuspecting consumers.
The Safe Surfing and Teddy Protection plugins are able to inject adverts or redirect the user. “It allows Stantinko operators to be paid for the traffic they provide to these adverts. We even found users would reach the advertiser’s website directly through Stantinko-owned ads,” said Matthieu Faou, Malware Researcher at ESET.