Botnet uses YouTube to mine Monero

A botnet that has previously focused on click fraud has now turned to cryptocurrency mining. Known as Stantinko, the bot has been active since 2012, but it started mining crypto last year. To avoid detection, Stantinko has been using proxies whose IP addresses it posts on YouTube.

Security researchers from cybersecurity firm ESET discovered the botnet years ago. However, back then, it performed click fraud, social network fraud and ad injection to earn the cybercriminals money. It would also steal passwords from its victims.

However, since at least August 2018, the botnet has taken to crypto mining, the researchers revealed in a recent report. Its crypto mining module is a modified version of xmr-stak, an open source Monero miner. The criminals stripped down most of the functionalities of the miner in an attempt to evade detection. Security software detect the malware as Win{32,64}/CoinMiner.Stantinko.

Its most defining character, however, is its use of YouTube to evade detection. CoinMiner.Stantinko doesn’t communicate with its mining pool directly. Instead, it uses proxies whose IP addresses are acquired from the description text of YouTube videos.

ESET security experts informed YouTube of the abuse and the firm took down all channels containing these videos.

To increase effectiveness, Stantinko enumerates all the running processes in the infected host, and if any other crypto miners are found, it shuts them down. The botnet has also put in place some measures that are meant to prevent detection by the host. For one, it suspends all mining operations once a task manager application is launched. The report further revealed:

“CoinMiner.Stantinko temporarily suspends mining if it detects there’s no power supply connected to the machine. This measure, evidently aimed at portable computers, prevents fast battery draining … which might raise the user’s suspicion.”

While the criminals have taken every step to obfuscate CoinMiner.Stantinko, it’s different with the hashing algorithm. The report explained, “Unlike the rest of CoinMiner.Stantinko, the hashing algorithm isn’t obfuscated, since obfuscation would significantly impair the speed of hash calculation and hence overall performance and profitability. However, the authors still made sure not to leave any meaningful strings or artifacts behind.”

The researchers believe that Stantinko has infected over 500,000 machines globally. However, its main targets are machines in Ukraine, Russia, Kazakhstan and Belarus.