The cybercriminals behind the crypto mining Stantinko botnet have devised some ingenious methods to evade detection.
Malware analyst Vladislav Hrčka from cybersecurity firm ESET sounded almost impressed as he unveiled the firm’s latest findings, and potential countermeasures, in a blog post. “The criminals behind the Stantinko botnet are constantly improving and developing new modules that often contain non-standard and interesting techniques,” he wrote.
The half-million strong botnet has been active since 2012 and was spread via malware embedded in pirated content. It mainly targets users in Russia, Ukraine, Belarus and Kazakhstan. It originally focused on click fraud, ad injection, social network fraud and password stealing attacks. However, in mid-2018, it added crypto mining to its arsenal with the Monero mining module.
Task Manager won’t help you
The module has components that detect security software and shut down any competing crypto mining operations. The power hungry module exhausts most of the resources of a compromised machine, but cleverly suspends mining to avoid detection the moment a user opens Task Manager to find out why the PC is running so slowly.
CoinMiner.Stantinko doesn't communicate with the mining pool directly, instead using proxies whose IP addresses are acquired from the description text of YouTube videos instead.
Constantly refining techniques
ESET released its first report on the crypto mining module in November last year, but since then, new techniques to evade detection have been added, including:
- Obfuscation of strings – meaningful strings are constructed and only present in memory when they are to be used
- Dead strings and resources – addition of resources and strings with no impact on the functionality
- Control-flow obfuscation – transformation of the control flow to a hard to read form and which makes the execution order of basic blocks unpredictable
- Dead code – code that is never executed, the only purpose of which is to make the files look more legitimate
- Do-nothing code – addition of code that is executed, but doesn't do anything. This is a way to bypass behavioral detections
In the November report Hrčka noted:
“This module’s most notable feature is the way it is obfuscated to thwart analysis and avoid detection. Due to the use of source level obfuscations with a grain of randomness and the fact that Stantinko’s operators compile this module for each new victim, each sample of the module is unique.”
Web based crypto jacking decreases after Coinhive shutdown
In related news, researchers at the University of Cincinnati and Lakehead University in Ontario, Canada this week released a paper called: "Is Cryptojacking Dead after Coinhive Shutdown?"
The Coinhive script was installed in websites and either overtly, or surreptitiously, mined Monero — until a big fall in the price of Monero during ‘crypto winter’ made it unprofitable and the operation was shut down.
The researchers checked 2770 websites that had previously been identified as running crypto mining scripts to see if they were still infected. While just 1% were actively mining cryptocurrency, another 11.6% were still running Coinhive scripts that were trying to connect to the operation's dead servers.
The researchers concluded:
"Cryptojacking did not end after Coinhive shut down. It is still alive but not as appealing as it was before. It became less attractive not only because Coinhive discontinued their service, but also because it became a less lucrative source of income for website owners. For most of the sites, ads are still more profitable than mining."