Stantinko Botnet Now Targeting Linux Servers to Hide Behind Proxies

Products You May Like

An adware and coin-miner botnet targeting Russia, Ukraine, Belarus, and Kazakhstan at least since 2012 has now set its sights on Linux servers to fly under the radar.

According to a new analysis published by Intezer today and shared with The Hacker News, the trojan masquerades as HTTPd, a commonly used program on Linux servers, and is a new version of the malware belonging to a threat actor tracked as Stantinko.

Back in 2017, ESET researchers detailed a massive adware botnet that works by tricking users looking for pirated software into downloading malicious executables disguised as torrents to install rogue browser extensions that perform ad injection and click fraud.

The covert campaign, which controls a vast army of half a million bots, has since received a substantial upgrade in the form of a crypto-mining module with an aim to profit from computers under their control.

Although Stantinko has been traditionally a Windows malware, the expansion in their toolset to target Linux didn’t go unnoticed, with ESET observing a Linux trojan proxy deployed via malicious binaries on compromised servers.

Intezer’s latest research offers fresh insight into this Linux proxy, specifically a newer version (v2.17) of the same malware (v1.2) called “httpd,” with one sample of the malware uploaded to VirusTotal on November 7 from Russia.

Upon execution, “httpd” validates a configuration file located in “etc/pd.d/proxy.conf” that’s delivered along with the malware, following it up by creating a socket and a listener to accept connections from what the researchers believe are other infected systems.

An HTTP Post request from an infected client paves the way for the proxy to pass on the request to an attacker-controlled server, which then responds with an appropriate payload that’s forwarded by the proxy back to the client.

In the event a non-infected client sends an HTTP Get request to the compromised server, an HTTP 301 redirect to a preconfigured URL specified in the configuration file is sent back.

Stating that the new version of the malware only functions as a proxy, Intezer researchers said the new variant shares several function names with the old version and that some hardcoded paths bear similarities to previous Stantinko campaigns.

“Stantinko is the latest malware targeting Linux servers to fly under the radar, alongside threats such as ​Doki​, ​IPStorm​ and ​RansomEXX​,” the firm said. “We think this malware is part of a broader campaign that takes advantage of compromised Linux servers.”

Cyber Security

Products You May Like

Articles You May Like

Oxford Word Of The Year Has 3 Contenders: Here’s What They Are And Mean
Twitter, Other Social Media Apps Fail to Remove Hate Speech, Says EU Review
Binance, other crypto firms line up bids for bankrupt Voyager Digital after FTX collapse
WhatsApp Contact Cards Sharing Feature Rolling Out on Windows Beta App: Report
Oppo F21 Pro Receives Stable Android 13-Based ColorOS 13 Update: All Details

Leave a Reply

Your email address will not be published. Required fields are marked *