The existence of botnets is nothing new in terms of hacking incidents. What is concerning, however, is the rate that these botnets are increasing in complexity (both in attack vectors and global targets). From Mirai to Necurs, the InfoSec community has had to deal with record-breaking DDoS attacks and massive malware campaigns that threatened key infrastructure. It appears that, based on researchers at ESET, another botnet with powerful potential has emerged — Stantinko botnet.
In a recent report posted to welivesecurity, ESET researchers picked apart the Stantinko botnet, which has been attacking both Russian and Ukrainian targets. Stantinko’s main attack has been an adware campaign that was leveraged against half a million users of the respective regions. Most users are infected when downloading pirated software that isn’t pirated software at all. Instead it is a malicious .exe file cloaked as a fake torrent.
The attack process by Stantinko attackers is described as follows:
To infect a system, they trick users looking for pirated software into downloading executable files sometimes disguised as torrents. FileTour, Stantinko’s initial installation vector, then loudly installs a lot of software to distract the user while it covertly installs Stantinko’s first service in the background.
Upon install, the adware proceeds to create a source of monetary profit within the infected system via ad injection and clickjacking (it does this by installing browser extensions called The Safe Surfing and Teddy Protection). This is only phase one of the attack, however, as it appears that Stantinko botnet is capable of nearly anything. The ESET report mentions the botnet’s post-infection actions including “a fully featured backdoor, a bot performing massive searches on Google, and a tool performing brute-force attacks on Joomla and WordPress administrator panels in an attempt to compromise and potentially resell them.”
A fully detailed chart of the entire attack of Stantinko can be seen below:
The most fascinating thing about Stantinko is that it did not just come into existence recently. In actuality, the botnet has been gathering strength and new attack patterns since its inception in 2012. The reason why it took until 2017 for researchers to discover Stantinko was its clever use of code encryption as well as antivirus avoidance methods.
While targets are in Eastern Europe at the moment, a botnet with these capabilities that avoided detection for so long will likely go global. Botnets are such a versatile attack tool, for skiddies and seasoned black hats alike. The entire cybersecurity community would do well to study as much as possible about Stantinko before the botnet casts an even wider net.
Photo credit: Pexels