Stantinko Botnet Now Targeting Linux Servers to Hide Behind Proxies

  • An adware and coin-miner botnet focusing on Russia, Ukraine, Belarus, and Kazakhstan at minimum due to the fact 2012 has now established its sights on Linux servers to fly under the radar.

    In accordance to a new assessment published by Intezer currently and shared with The Hacker News, the trojan masquerades as HTTPd, a normally made use of application on Linux servers, and is a new edition of the malware belonging to a danger actor tracked as Stantinko.

    Back again in 2017, ESET researchers specific a huge adware botnet that performs by tricking end users hunting for pirated software package into downloading malicious executables disguised as torrents to put in rogue browser extensions that perform ad injection and simply click fraud.

    The covert marketing campaign, which controls a wide military of 50 percent a million bots, has due to the fact received a considerable enhance in the form of a crypto-mining module with an aim to gain from desktops below their regulate.

    While Stantinko has been ordinarily a Windows malware, the expansion in their toolset to focus on Linux did not go unnoticed, with ESET observing a Linux trojan proxy deployed by way of destructive binaries on compromised servers.

    Intezer’s latest study gives clean perception into this Linux proxy, precisely a newer variation (v2.17) of the exact malware (v1.2) referred to as “httpd,” with a person sample of the malware uploaded to VirusTotal on November 7 from Russia.

    On execution, “httpd” validates a configuration file found in “and many others/pd.d/proxy.conf” which is sent alongside with the malware, following it up by making a socket and a listener to accept connections from what the researchers imagine are other infected devices.

    An HTTP Publish request from an contaminated client paves the way for the proxy to go on the request to an attacker-controlled server, which then responds with an acceptable payload which is forwarded by the proxy again to the customer.

    In the celebration a non-contaminated customer sends an HTTP Get ask for to the compromised server, an HTTP 301 redirect to a preconfigured URL specified in the configuration file is despatched back again.

    Stating that the new version of the malware only capabilities as a proxy, Intezer scientists mentioned the new variant shares numerous operate names with the old model and that some hardcoded paths bear similarities to earlier Stantinko strategies.

    “Stantinko is the most up-to-date malware focusing on Linux servers to fly under the radar, together with threats this sort of as Doki, IPStorm and RansomEXX,” the organization explained. “We assume this malware is element of a broader marketing campaign that requires gain of compromised Linux servers.”

    Identified this post exciting? Adhere to THN on Fb, Twitter  and LinkedIn to read more exclusive information we post.