The cyber criminals behind the cryptomining Stantinko botnet have come up with some ingenious methods to bypass detection.
Malware analyst Vladislav Hrčka from cybersecurity firm ESET was almost impressed when he revealed the company’s latest findings and possible countermeasures in a blog post. “The criminals behind the Stantinko botnet are constantly improving and developing new modules that often include non-standard and interesting techniques,” he wrote.
The half-million-strong botnet has been operating since 2012 and was distributed through malware embedded in illegal content. It mainly targets users in Russia, Ukraine, Belarus and Kazakhstan. It originally focused on click fraud, ad injection, social network fraud and password stealing attacks. However, in mid-2018, it added crypto mining to its arsenal with the Monero mining module.
The module contains components that detect security software and shut down all competing crypto mining operations. The energy-hungry module depletes most of the resources of a compromised machine, but cleverly suspends mining to prevent detection the moment a user opens Task Manager to find out why the PC is running so slowly.
CoinMiner.Stantinko does not communicate directly with the mining pool, but instead uses proxies whose IP addresses are obtained from the descriptive text of YouTube videos.
ESET released its first report on the cryptomining module in November last year, but new techniques to bypass detection have since been added, including:
- Strings eclipse – meaningful strings are constructed and only present in memory when they are to be used
- Dead strings and resources – addition of resources and strings without affecting functionality
- Control-flow obfuscation – transformation of the control flow into a hard-to-read form and making the execution order of basic blocks unpredictable
- Dead code – code that never runs for the sole purpose of making the files look more legitimate
- Do-nothing code – addition of code that runs, but does nothing. This is a way to bypass behavioral detection
In the November report, Hrčka noted:
“The most notable feature of this module is the way it is veiled to thwart analysis and prevent detection. By using source-level obscuration with a certain arbitrariness and the fact that Stantinko operators assemble this module for each new victim , each sample of the module is unique. “
In related news, researchers at the University of Cincinnati and Lakehead University in Ontario, Canada released a paper this week entitled, “Is Cryptojacking Dead After Coinhive Shutdown?”
The Coinhive script was installed on websites and Monero was openly or secretly mined – until a major price drop from Monero during the ‘crypto winter’ made it unprofitable and the operation was halted.
The researchers checked 2,770 websites previously determined to run cryptomining scripts to see if they were still infected. While only 1% were actively mining cryptocurrency, another 11.6% were still running Coinhive scripts attempting to connect to the operation’s dead servers.
The researchers concluded:
Cryptojacking didn’t stop after Coinhive closed. It is still alive, but not as attractive as before. It became less attractive not only because Coinhive discontinued their service, but also because it became a less lucrative source of income for website owners. For most sites, ads are still more profitable than mining. ‘