Statinko Botnet has been around since 2012 and has kept evolving. The latest addition to its wide portfolio of malicious activities like click fraud, ad injection, social network fraud and password-stealing attacks, is Cryptomining. According to the researchers at Slovakian software security firm, ESET, Statinko is capable of installing crypto malware on victims’ devices using YouTube.
Stantinko’s Cryptomining Module
Researchers found that Stantinko’s cryptomining module, exhausts most of the resources of the compromised machine by mining cryptocurrency using a highly modified version of the xmr-stak, an open-source cryptominer. Also, all unnecessary strings and whole functionalities are removed in attempts to evade detection.
Use of YouTube in Cryptomining
As mentioned earlier, Stantinko is constantly developing and improving its existing custom modules. This is evident from the fact that CoinMiner.Stantinko doesn’t communicate directly with its mining pool but uses proxies whose IP addresses are acquired from the description text of YouTube videos.
The description of such a video consists of a string composed of mining proxy IP addresses in hexadecimal or enclosed in “!!!!” format. This simplifies the process of parsing and prevents possible changes in the HTML structure of the YouTube video turning the parser, dysfunctional.
YouTube has now taken down all the channels containing these videos after the ESET researchers informed the video-sharing platform of the abuse.
Statinko Botnet’s Cryptomining Prowess
ESET has briefly described the cryptomining abilities of Statinko Botnet. It said, “The main part performs the actual cryptomining; the other parts of the module are responsible for additional functions such as:
- Suspending other (i.e. competing) cryptomining applications.
- Detecting security software.
- Suspending the cryptomining function if the PC is on battery power or when a task manager is detected, to prevent being revealed by the user.”
Stantinko botnet has typically targeted users in the Soviet countries of – Russia, Ukraine, Belarus and Kazakhstan. It is still active, and, with the wide outreach of YouTube, this botnet has the capability of spreading like wildfire in other parts of the globe.
A McAfee Labs Threats Report revealed that the cybercriminals were generating 480 new threats per minute. It also highlighted that the IoT malware had increased to 73 percent, while the cryptocurrency mining malware was up to 71 percent in the third quarter of 2018.