HomeWinBuzzer NewsThe Stantinko Botnet Is Now Using Youtube Videos to Disguise Its Cryptomining

The Stantinko Botnet Is Now Using Youtube Videos to Disguise Its Cryptomining

Stantinko uses a network of YouTube video descriptions to provide a proxy to its mining pool, therefore causing PCs to trust the URL.

-

Security researchers from ESET have uncovered an expansion of the Stantinko that's using YouTube videos to share proxy IPs. The botnet now consists of 500,000 PCs and has moved from spreading adware and password-stealing to crypto mining.

The currency in question is Monero, with most infected PCs in Russia, Ukraine, Belarus, and Kazakhstan. However, while the mining methods used are quite popular – a modified version of xmr-stak, its methods to hide its activities are note-worthy.

The creators of Stantinko has heavily modified xmr-stak, removing some functionality and strings to avoid detection. On top of that, it doesn't directly communicate with its mining pool. Instead, it uses proxies whose IP addresses are shared via YouTube videos.

Hexidecimal and Exclamation Marks

Videos with Russian language titles contain a description with hexadecimal which corresponds to two IP addresses. The addresses are further enclosed by exclamation points to make parsing easier and protect against changes to the video's HTML structure.

“Currently the module receives a video identifier as a command line parameter instead. This parameter is then used to construct the YouTube URL, in the form https://www.youtube.com/watch?v=%PARAM%,” explains ESET. “The cryptomining module is executed either by Stantinko's BEDS component, or by rundll32.exe via a batch file that we have not captured, with the module loaded from a local file system location of the form %TEMP%\%RANDOM%\%RANDOM_GUID%.dll.”

After being informed of the methods, YouTube removed all of the offending videos. This should prevent some of the stealth of the script, as PCs are less likely to flag malware accessing a trusted site like YouTube.

Stantinko has now been around since 2012 and this recent evolution shows that it's not going to disappear any time soon. All consumers can do is monitor their PC for suspicious resource usage, avoid suspicious links, and keep their security software updated.

SourceESET
Ryan Maskell
Ryan Maskellhttps://ryanmaskell.co.uk
Ryan has had a passion for gaming and technology since early childhood. Fusing the skills from his Creative Writing and Publishing degree with profound technical knowledge, he enjoys covering news about Microsoft. As an avid writer, he is also working on his debut novel.

Recent News