ESET Waves Red Flag: Insight into Hidden Malware Affecting 500,000 Users
Created: 2017-07-20 07:35:37
ESET, a global leader in cybersecurity, has investigated and identified a complex threat posed by a new strain of malware that has so far affected half a million users.
Dubbed as Stantinko, ESET analyzes this highly inconspicuous malware which tricks victims into downloading pirated software from fake torrent sites, and that has continually morphed to avoid detection for the last five years. Targeting mainly Russian speakers, Stantinko is a network of bots which is monetized by installing browser extensions that inject fake ads while surfing the web. Once installed on a machine it can perform massive Google searches anonymously and create fake accounts on Facebook with the capability to like pictures, pages and add friends.
A Modular Backdoor
Stantinko’s ability to evade anti-virus detection relies upon heavy obfuscation and hiding in plain sight inside code that looks legitimate. Using advanced techniques, malicious code is hidden either encrypted in a file or in the Windows Registry. It is then decrypted using a key generated during the initial compromise. Its malicious behavior can’t be detected until it receives new components from its command and control server, making it difficult to uncover.
Once a machine is infected, two harmful Windows services that launch every time the system is started are installed.
“It is difficult to get rid of once you have it, as each component service has the ability to reinstall the other in case one of them is deleted from the system. To fully eliminate the problem, the user has to delete both services from their machine at the same time,” explains Frédéric Vachon, Malware Researcher at ESET.
Once inside a device, Stantinko installs two browser plugins, both available on the Google Chrome Web Store – ‘The Safe Surfing’ and ‘Teddy Protection.’
“Both plugins were still available online during our analysis,” says Marc-Etienne Léveillé, Senior Malware Reseracher at ESET. “At first sight, they look like legitimate browser extensions and even have a website. However, when installed by Stantinko, the extensions receive a different configuration containing rules to perform click-fraud and ad injection.”
Once the malware has infiltrated, Stantinko’s operators can use flexible plugins to do anything they wish with the compromised system. These include conducting massive anonymous searches to find Joomla and WordPress sites, performing brute force attacks on these sites, finding and stealing data, and creating fake accounts on Facebook.
How do Stantinko hackers make money?
Stantinko has the potential to be very lucrative as click fraud is a major source of revenue for hackers. Research conducted by White Ops and the Association of National Advertisers in the US estimated click fraud will cost businesses $6.5 billion this year alone.
Details of the sites victim to brute force attacks can also be sold on the underground market after it is compromised by Stantinko, which guesses the passwords by trying thousands of different credentials. Although ESET Researchers couldn’t witness the malicious activity on the social network, operators of Stantinko have a tool that allows them to perform fraud on Facebook, selling ‘likes’ to illegitimately capture the attention of unsuspecting consumers.
‘The Safe Surfing’ and ‘Teddy Protection’ plugins are able to inject adverts or redirect the user.
“It allows Stantinko operators to be paid for the traffic they provide to these adverts. We even found users would reach the advertiser’s website directly through Stantinko-owned ads,” concludes Matthieu Faou, Malware Researcher at ESET.
To read more about Stantinko visit www.welivesecurity.com.
About ESET
ESET®, the pioneer of proactive protection and the maker of the award-winning ESET NOD32® technology, is a global provider of security solutions for businesses and consumers. For over 26 years, the Company continues to lead the industry in proactive threat detection. By obtaining the 80th VB100 award in June 2013, ESET NOD32 technology holds the record number of Virus Bulletin "VB100” Awards, and has never missed a single “In-the-Wild” worm or virus since the inception of testing in 1998. In addition, ESET NOD32 technology holds the longest consecutive string of the VB100 awards of any AV vendor. ESET has also received a number of accolades from AV-Comparatives, AV-TEST and other testing organisations and reviews. ESET NOD32® Antivirus, ESET Smart Security®, ESET Cyber Security® (solution for Mac), ESET® Mobile Security and IT Security for Business are trusted by millions of global users and are among the most recommended security solutions in the world.
ESET recently updated its two-factor authentication (2FA) application, adding a secure validation to weak and static user passwords. This updated version of ESET’s 2FA application provides flexibility and deeper integration of 2FA into bespoke applications, making it the best cost-effective solutions for SMBs everywhere.
The Company has global headquarters in Bratislava (Slovakia), with regional distribution centers in San Diego (U.S.), Buenos Aires (Argentina), and Singapore; with offices in Jena (Germany), Prague (Czech Republic) and Sao Paulo (Brazil). ESET has malware research centers in Bratislava, San Diego, Buenos Aires, Singapore, Prague, Košice (Slovakia), Krakow (Poland), Montreal (Canada), Moscow (Russia) and an extensive partner network for more than 180 countries. For more information visit https://eset.version-2.sg/ or follow us on Facebook.
About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. Headquartered in Hong Kong, the Company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which includes Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
For more information, please visit www.version-2.com.sg or call (65) 6296-4268.