A massive adware botnet affecting approximately half a million users has been uncovered, after managing to stay under the radar for at least the last five years, attracting very little attention to their operations.
According to ESET, the Stantinko botnet is a complex threat mainly targeting Russia and Ukraine. Its operators monetize it mainly by installing malicious browser extensions that perform ad injection and click fraud. However, the malicious Windows services they install enable them to execute remote code on the infected host.
“We’ve seen them being used to send a fully featured backdoor, a bot performing massive searches on Google, and a tool performing brute-force attacks on Joomla and WordPress administrator panels in an attempt to compromise and potentially resell them,” ESET said, in an analysis.
The attacks on the administrative accounts of Joomla and WordPress websites rely on a brute-force attack using a list of credentials.
“The aim is to guess the password by trying tens of thousands of different credentials,” explained the researchers. “Once compromised, these accounts can be resold on the underground market. Then, they could be used to redirect site visitors to exploit kits elsewhere or to host malicious content.”
The operators also have developed a plugin that can interact with Facebook. It is able, among other things, to create accounts, ‘like’ a page or add a friend. To bypass Facebook’s CAPTCHA, it relies on an online anti-CAPTCHA service.
To infect a system, the operators trick users looking for pirated software into downloading executable files sometimes disguised as torrents. FileTour, Stantinko’s initial installation vector, then loudly installs a lot of software to distract the user while it covertly installs Stantinko’s first service in the background.
Stantinko also stands out because of its prevalence and its sophistication, like making heavy use of code encryption and rapidly adapting so as to avoid detection by anti-malware.
“Its authors make sure multiple parts are needed to conduct a complete analysis,” ESET researchers said. “There are always two components involved: A loader and an encrypted component.”
Although the developers of Stantinko use methods that are most often seen in APT campaigns, their final aim is to make money.
“Stantinko is a major threat, as it provides a large source of fraudulent revenue to cyber-criminals,” researchers said. “Moreover, the presence of a fully featured backdoor allows the operators to spy on all the victimized machines.”