Stantinko: large-scale adware campaign, operating since 2012
Adware is not the easiest type of malware to analyze. Having discovered the complex threat of Stantinko, we did not immediately understand what it was: adware, malware or spyware. It took time to identify its goals and patterns, as the threat leaves not many traces on the infected machine. Understanding the Stantinko ecosystem is about how to assemble a puzzle.
Stantinko specializes in advertising fraud, but stands out against the general background of technical complexity. Code encryption and operational adaptation to protect against detection by antivirus allowed Stantinko operators to remain out of sight for at least five years. In addition, attention is drawn to the scale of Stantinko - this is one of the most common cyber threats in Russia, with a botnet of about 500,000 devices.
')
To infect the system, Stantinko operators are misleading users who search for pirated software and download executable files, sometimes disguised as torrents. Next FileTour, the initial infection vector, demonstratively installs a multitude of programs to divert the user's attention from the hidden installation of the first Stantinko service in the background. Video 1 shows how a user launches a malicious .exe file.
Video 1. The user downloads and runs a malicious file.
Stantinko operators control the botnet and monetize it, mainly by installing malicious browser extensions for the unauthorized introduction of advertising and clickfrood. The problem is that they do not stop at that. Malicious services allow you to execute anything on the infected system. We watched sending a full-featured backdoor, a mass search bot on Google, as well as utilities for brute-force attacks on Joomla and WordPress control panels (designed for hacking and possible resale).
The figure below shows the complete Stantinko cyber campaign, from the infection vector to permanent services and the corresponding plug-ins.
Figure 1. Complete Stantinko Threat Scheme
A characteristic feature of Stantinko is antivirus detection bypass and counter-reverse engineering, which determines malicious behavior. To conduct a comprehensive threat analysis, several components are needed - a bootloader and an encrypted component. The malicious code is hidden in an encrypted component that is either on the disk or in the Windows registry. The code is loaded and decoded by an executable file that is seemingly harmless at first glance. A key is generated for each of the infections. Some components use the bot ID, others use the serial number of the victim’s hard drive volume. Detection by unencrypted components is an extremely difficult task, since artifacts stored on disk do not show malicious behavior prior to execution.
In addition, Stantinko provides a recovery mechanism. After a successful infection, two malicious services are installed on the victim's machine with the Widnows operating system and run together with the system. Services can reinstall each other if one of them is deleted. Thus, in order to successfully eliminate a threat, you must simultaneously remove two services. Otherwise, the C & C server will send a new version of a remote service that has not yet been discovered or contains a new configuration.
The main functionality of Stantinko is the installation of The Safe Surfing and Teddy Protection browser extensions on the infected system. At the time of analysis, both extensions were available in the Chrome Web Store. At first glance, these are legitimate browser extensions that block unwanted URLs. But when installed as part of the Stantinko scheme, extensions are given a different configuration, containing the rules for click-promotion and unauthorized advertising. Video 2 shows the installation process for The Safe Surfing . Clicking on the link, the user is redirected to the Rambler search engine.
Figure 2. Teddy Protection in the Chrome Web Store
Figure 3. The Safe Surfing in the Chrome Web Store
Video 2. Forwarding traffic to the Rambler site
Stantinko - modular backdoor. Its components include a bootloader that allows you to execute any executable Windows file that is transferred by the C & C server directly into memory. This feature is implemented as a flexible plug-in system that allows operators to do whatever they want on an infected system. The table below provides a description of Stantinko plugins known to us.
Stantinko developers use methods that are more common in APT campaigns. However, their main goal is money. Operators offer their services in the most profitable markets for computer crimes.
First, the clickfrod today is a major source of income in the cybercriminal ecosystem. A study conducted by White Ops and the National Association of Advertisers (USA), estimated the global cost of clickfrood in 2017 at 6.5 billion US dollars.
As already described above, Stantinko installs two browser extensions - The Safe Surfing and Teddy Protection , which show ads or redirect. This allows Stantinko operators to get paid for the traffic they provide to advertisers. The figure below shows the redirection scheme.
Figure 4. Clickfrod, redirection process
Traditional clickframe schemes are built on a series of redirections between several ad networks to “launder” traffic. But in the case of Stantinko, the operators are closer to the advertisers - in some cases (see Figure 4), the user gets to the advertiser's site immediately from the Stantinko network. This means that the attackers behind the Stantinko campaign can not only effectively hide the malware, but also disrupt the traditional advertising economy, and this gets away with it.
Secondly, the operators of Stantinko are trying to gain access to the control panels of sites on Joomla and WordPress. The attack is built on brute-force with enumeration of logins and passwords in the list. The goal is to guess the password by trying tens of thousands of combinations. Hacked accounts can be resold and then used to redirect site visitors to a set of exploits or to post malicious content.
Thirdly, our study revealed how Stantinko works in social networks. We already described this type of fraud in a Linux / Moose report . The scheme really makes a profit - 1000 likes on Facebook cost about $ 15 (even if they are generated by fake accounts in the botnet).
Operators Stantinko have developed a plugin that interacts with Facebook. In addition, he can create accounts, like the page and add friends. To bypass captcha on Facebook, he uses a special service (in Figure 5). The scale of the Stantinko network is an advantage of the operators, because it allows them to distribute requests among all bots - this complicates Facebook’s task of recognizing fraud.
Figure 5. Captcha bypass service used by Stantinko
Stantinko is a botnet that specializes in advertising fraud. Advanced technologies, including code encryption and code storage in the Windows registry, allowed operators to go unnoticed for five years.
In addition, the operators of Stantinko managed to put in the Chrome Web Store two browser extensions that performed unauthorized advertising. One of them first appeared in the Chrome Web Store in November 2015.
The user is unlikely to notice the presence of Stantinko in the system, since the threat does not overload the CPU. On the other hand, Stantinko brings losses to advertisers and significant revenue to operators. In addition, the presence of a full-featured backdoor allows attackers to monitor all infected machines.
Main conclusions:
Infection indicators are available in our account on GitHub . For any questions regarding Stantinko, including sample transfer, write to threatintel@eset.com.
Stantinko specializes in advertising fraud, but stands out against the general background of technical complexity. Code encryption and operational adaptation to protect against detection by antivirus allowed Stantinko operators to remain out of sight for at least five years. In addition, attention is drawn to the scale of Stantinko - this is one of the most common cyber threats in Russia, with a botnet of about 500,000 devices.
')
Overview
To infect the system, Stantinko operators are misleading users who search for pirated software and download executable files, sometimes disguised as torrents. Next FileTour, the initial infection vector, demonstratively installs a multitude of programs to divert the user's attention from the hidden installation of the first Stantinko service in the background. Video 1 shows how a user launches a malicious .exe file.
Video 1. The user downloads and runs a malicious file.
Stantinko operators control the botnet and monetize it, mainly by installing malicious browser extensions for the unauthorized introduction of advertising and clickfrood. The problem is that they do not stop at that. Malicious services allow you to execute anything on the infected system. We watched sending a full-featured backdoor, a mass search bot on Google, as well as utilities for brute-force attacks on Joomla and WordPress control panels (designed for hacking and possible resale).
The figure below shows the complete Stantinko cyber campaign, from the infection vector to permanent services and the corresponding plug-ins.
Figure 1. Complete Stantinko Threat Scheme
Key parameters
A characteristic feature of Stantinko is antivirus detection bypass and counter-reverse engineering, which determines malicious behavior. To conduct a comprehensive threat analysis, several components are needed - a bootloader and an encrypted component. The malicious code is hidden in an encrypted component that is either on the disk or in the Windows registry. The code is loaded and decoded by an executable file that is seemingly harmless at first glance. A key is generated for each of the infections. Some components use the bot ID, others use the serial number of the victim’s hard drive volume. Detection by unencrypted components is an extremely difficult task, since artifacts stored on disk do not show malicious behavior prior to execution.
In addition, Stantinko provides a recovery mechanism. After a successful infection, two malicious services are installed on the victim's machine with the Widnows operating system and run together with the system. Services can reinstall each other if one of them is deleted. Thus, in order to successfully eliminate a threat, you must simultaneously remove two services. Otherwise, the C & C server will send a new version of a remote service that has not yet been discovered or contains a new configuration.
The main functionality of Stantinko is the installation of The Safe Surfing and Teddy Protection browser extensions on the infected system. At the time of analysis, both extensions were available in the Chrome Web Store. At first glance, these are legitimate browser extensions that block unwanted URLs. But when installed as part of the Stantinko scheme, extensions are given a different configuration, containing the rules for click-promotion and unauthorized advertising. Video 2 shows the installation process for The Safe Surfing . Clicking on the link, the user is redirected to the Rambler search engine.
Figure 2. Teddy Protection in the Chrome Web Store
Figure 3. The Safe Surfing in the Chrome Web Store
Video 2. Forwarding traffic to the Rambler site
Stantinko - modular backdoor. Its components include a bootloader that allows you to execute any executable Windows file that is transferred by the C & C server directly into memory. This feature is implemented as a flexible plug-in system that allows operators to do whatever they want on an infected system. The table below provides a description of Stantinko plugins known to us.
Monetization
Stantinko developers use methods that are more common in APT campaigns. However, their main goal is money. Operators offer their services in the most profitable markets for computer crimes.
First, the clickfrod today is a major source of income in the cybercriminal ecosystem. A study conducted by White Ops and the National Association of Advertisers (USA), estimated the global cost of clickfrood in 2017 at 6.5 billion US dollars.
As already described above, Stantinko installs two browser extensions - The Safe Surfing and Teddy Protection , which show ads or redirect. This allows Stantinko operators to get paid for the traffic they provide to advertisers. The figure below shows the redirection scheme.
Figure 4. Clickfrod, redirection process
Traditional clickframe schemes are built on a series of redirections between several ad networks to “launder” traffic. But in the case of Stantinko, the operators are closer to the advertisers - in some cases (see Figure 4), the user gets to the advertiser's site immediately from the Stantinko network. This means that the attackers behind the Stantinko campaign can not only effectively hide the malware, but also disrupt the traditional advertising economy, and this gets away with it.
Secondly, the operators of Stantinko are trying to gain access to the control panels of sites on Joomla and WordPress. The attack is built on brute-force with enumeration of logins and passwords in the list. The goal is to guess the password by trying tens of thousands of combinations. Hacked accounts can be resold and then used to redirect site visitors to a set of exploits or to post malicious content.
Thirdly, our study revealed how Stantinko works in social networks. We already described this type of fraud in a Linux / Moose report . The scheme really makes a profit - 1000 likes on Facebook cost about $ 15 (even if they are generated by fake accounts in the botnet).
Operators Stantinko have developed a plugin that interacts with Facebook. In addition, he can create accounts, like the page and add friends. To bypass captcha on Facebook, he uses a special service (in Figure 5). The scale of the Stantinko network is an advantage of the operators, because it allows them to distribute requests among all bots - this complicates Facebook’s task of recognizing fraud.
Figure 5. Captcha bypass service used by Stantinko
Conclusion
Stantinko is a botnet that specializes in advertising fraud. Advanced technologies, including code encryption and code storage in the Windows registry, allowed operators to go unnoticed for five years.
In addition, the operators of Stantinko managed to put in the Chrome Web Store two browser extensions that performed unauthorized advertising. One of them first appeared in the Chrome Web Store in November 2015.
The user is unlikely to notice the presence of Stantinko in the system, since the threat does not overload the CPU. On the other hand, Stantinko brings losses to advertisers and significant revenue to operators. In addition, the presence of a full-featured backdoor allows attackers to monitor all infected machines.
Main conclusions:
- About 500,000 computers compromised by Stantinko
- The main objectives are Russia (46%) and Ukraine (33%)
- Stantinko operators monetize the botnet by installing browser extensions for unauthorized advertisements
- The components remaining on the disk use a custom code obfuscator, which complicates the threat analysis process.
- In most Stantinko components, the malicious code is hidden inside legitimate free open source software that has been modified and recompiled.
- Stantinko installs several permanent services that can restore each other, preventing removal from the system.
- The most common use of Stantinko is advertising fraud. However, its capabilities are much wider. We’ve watched sending a full-featured backdoor for remote administration, a mass search bot to Google and utilities for brute-force attacks on Joomla and WordPress dashboards
Infection indicators are available in our account on GitHub . For any questions regarding Stantinko, including sample transfer, write to threatintel@eset.com.
Source: https://habr.com/ru/post/333798/
All Articles