Stantinko botnet’s unique obfuscation tactics revealed in new report

The Stantinko botnet has been a menace since it was discovered in 2012. In a new report, security researchers have revealed some of its obfuscation techniques, offering an insight into why it has been so difficult to detect. The techniques, which the report describes as unique, involve the obfuscation of strings and control-flow flattening.

The security researchers from Slovak internet security company ESET were the first to discover that Stantinko had added digital currency mining to its pool of criminal activities. In a report last November, they revealed that the botnet had moved from click fraud and ad injection to mining Monero.

And now, the researchers have revealed its obfuscation techniques for the first time. They include obfuscation of strings, control-flow flattening, use of do-nothing code, dead code and dead strings.

Of these, obfuscation of strings and control-flow obfuscation are the most notable and have been the most effective. In the first, “All the strings embedded in the module are unrelated to the real functionality. Their source is unknown and they either serve as building blocks for constructing the strings that are actually used or they are not used at all,” the report stated.

The actual strings that the malware relies on are generated in memory to avoid detection by file-based analysis techniques.

In control-flow flattening, the botnet changes the control flow into a form that is hard to read, making the execution order of basic blocks unpredictable.

Stantinko also uses dead code – code that’s either never executed or has no impact on the overall functionality; and do-nothing code – parts of the code intertwined with the real code that has no purpose at all other than obscuring the analysis.

The botnet was launched in 2012, spreading through pirated content, with the criminals disguising executable files as torrents. The botnet’s operators are experts in avoiding detection – so much so that they managed to infect half a million machines for over five years before ESET security researchers discovered the botnet. Initially, they relied on ad injection, click fraud, password stealing attacks and social network fraud to generate income. In 2018, they switched to mining Monero, a tactic they still use.

Stantinko has continued to push the boundaries when it comes to obfuscation techniques. So, how worried should enterprises be about the new threats posed by these techniques? According to some top cybersecurity experts, not much.

Daniel Goldberg, the senior security and computer crime researcher at cloud security company Guardicore Labs told SC Magazine, “Enterprise security teams should totally avoid thinking about malware obfuscation and detecting specific strains, and focus 100 percent of their efforts on detecting abnormal behaviour. Malware changes, but the vast majority use the network to communicate with hackers. Catch them there and stop playing whack a mole.”