The Multi-Purpose Module
Security researchers at ESET have surfaced this fact initially and detailed on their blog. The group, Stantinko has been infamous for ad injections, password stealings, click baits and affecting countries like Russia, Ukraine, Belarus etc for its revenue. Since its inception in 2012, it’s estimated to have infected more than 500,000 systems worldwide. With that record, Stantinko is now found mining cryptocurrencies using victims computational resources. Though this may seem common these days, Stantinko methods of obfuscation are highly appreciated for hiding from detections, and what made them notable. The module it dumps is said to be a highly modified version of xmr-stak, Where Stantinko has a crypto miner to mint coins, a detecting software to alert the mining process, a suspender of operations if something found suspicious and to kill other competing cryptominers. The package was delivered and communicates with attackers via YouTube’s description based algorithms! Clever isn’t it?
Leveraging YouTube Descriptions
At the core of crypto mining, there’s a process of hashing where the miner (CoinMiner.Stantinko) communicates with the attacker indirectly through proxies. These proxies are taken from YouTube’s description. This was later informed to YouTube and it’s taken down. Here, it downloads the hashing algorithm and stores it in disk for future operations like changing it to adapt mining for a better cryptocurrency. And storing this algorithm in the disk makes it hard for detection by antivirus softwares. Aside from doing this, detectors are placed for finding antivirus softwares to hide and to alert when the PC battery power is disconnected or task manager is run to avoid suspicion from the victim. Source – WeLiveSecurity