A Slovakian cybersecurity firm has revealed that the Stantinko botnet, which has infected over 500,000 devices worldwide, is being used for mining Monero cryptocurrency via Youtube.
Slovakian antivirus software supplier Eset found that Stantinko botnet operators moved beyond fraud, stealing passwords and ad injections.
Their method is unconventional, relying on YouTube videos for obfuscating the activity and acquiring IP addresses.
Although its work on infected machines is similar to infamous banking malware Casbaneiro, the actual connection to the network is unique. CoinMiner.Stantinko communicates through proxies with its mining pool with the IPs stored in the descriptions of YouTube videos as hexadecimal codes. The cryptomining module is executed through rundll32.exe, which then scans the network for the first live proxy, bouncing around undetected.
Stantinko’s miner slipped under the radar for so long because of the tool’s ability to slightly randomize its footprint. It has several failsafes that prevent detection, including suspending itself when the power supply gets disconnected (on laptop devices) or when Task Manager is launched.
Demonstrating the aggressive nature of Stantinko’s miner is its ability to shut off any competition found on the infected device.