ESET Waves Red Flag: Insight into Hidden Malware Affecting 500,000 Users

ESET, a global leader in cybersecurity, has investigated and identified a complex threat posed by a new strain of malware that has so far affected half a million users.

Dubbed as Stantinko, ESET analyzes this highly inconspicuous malware which tricks victims into downloading pirated software from fake torrent sites, and that has continually morphed to avoid detection for the last five years. Targeting mainly Russian speakers, Stantinko is a network of bots which is monetized by installing browser extensions that inject fake ads while surfing the web. Once installed on a machine it can perform massive Google searches anonymously and create fake accounts on Facebook with the capability to like pictures, pages and add friends.

A Modular Backdoor

Stantinko’s ability to evade anti-virus detection relies upon heavy obfuscation and hiding in plain sight inside code that looks legitimate. Using advanced techniques, malicious code is hidden either encrypted in a file or in the Windows Registry. It is then decrypted using a key generated during the initial compromise. Its malicious behavior can’t be detected until it receives new components from its command and control  server, making it difficult to uncover.

Once a machine is infected, two harmful Windows services that launch every time the system is started are installed.

“It is difficult to get rid of once you have it, as each component service has the ability to reinstall the other in case one of them is deleted from the system. To fully eliminate the problem, the user has to delete both services from their machine at the same time,” explains Frédéric Vachon, Malware Researcher at ESET. 

Once inside a device, Stantinko installs two browser plugins, both available on the Google Chrome Web Store – ‘The Safe Surfing’ and ‘Teddy Protection.’

“Both plugins were still available online during our analysis,” says Marc-Etienne Léveillé, Senior Malware Reseracher at ESET. “At first sight, they look like legitimate browser extensions and even have a website. However, when installed by Stantinko, the extensions receive a different configuration containing rules to perform click-fraud and ad injection.” 

Once the malware has infiltrated, Stantinko’s operators can use flexible plugins to do anything they wish with the compromised system. These include conducting massive anonymous searches to find Joomla and WordPress sites, performing brute force attacks on these sites, finding and stealing data, and creating fake accounts on Facebook.

How do Stantinko hackers make money?

Stantinko has the potential to be very lucrative as click fraud is a major source of revenue for hackers. Research conducted by White Ops and the Association of National Advertisers in the US estimated click fraud will cost businesses $6.5 billion this year alone.

Details of the sites victim to brute force attacks can also be sold on the underground market after it is compromised by Stantinko, which guesses the passwords by trying thousands of different credentials. Although ESET Researchers couldn’t witness the malicious activity on the social network, operators of Stantinko have a tool that allows them to perform fraud on Facebook, selling ‘likes’ to illegitimately capture the attention of unsuspecting consumers.

‘The Safe Surfing’ and ‘Teddy Protection’ plugins are able to inject adverts or redirect the user.

“It allows Stantinko operators to be paid for the traffic they provide to these adverts. We even found users would reach the advertiser’s website directly through Stantinko-owned ads,” concludes Matthieu Faou, Malware Researcher at ESET.

To read more about Stantinko visit www.welivesecurity.com.