Linux version of Stantinko malware is now disguised as Apache web server

Operators of one of the oldest active botnets today, Stantinko, have updated their Trojan for Linux. The Linux version of the Stantinko disguised is now masked as a legitimate Apache web server (httpd) process to bypass detection.

The Stantinko malware was first discovered in 2012 and initially attacked only Windows users. The malware was distributed through hacked programs or bundled with other applications and was used to display unwanted advertisements or cryptocurrency miners on the infected system.

As profits from malware began to rise, botnet operators began to modernize their code. For example, in 2017, a version of the Trojan appeared for Linux devices.

“Disguised as a SOCKS5 proxy, this version of the malware turned infected Linux devices into nodes in a larger proxy network. The infected systems were used to carry out brute force attacks on content management systems (CMS), databases and other web systems”, – information security specialists tell.

After the system is compromised, Stantinko operators escalate their privileges to access the OS (Linux or Windows) and install a copy of the malware and a cryptominer.

In 2017 was discovered Linux Trojan version 1.2. In a recent report, specialists from the information security company Intezer Labs described version 2.17.

“We have identified a new version of this Linux trojan masqueraded as httpd. httpd is Apache Hypertext Transfer Protocol Server, a commonly used program on Linux servers. The sample’s version is 2.17, and the older version is 1.2*. We believe this malware is part of a broader campaign that takes advantage of compromised Linux servers”, — experts from Intezer Labs tell.

The new version of malware weighs less and contains much fewer features than the version three years ago, which is quite unusual, because malware tends to grow in size over the years.

The malware operators have removed everything secondary from their code, leaving only the most important functions, including the proxy function. Another reason for the Trojan’s size reduction is the desire of developers to minimize the number of digital fingerprints they leave. The fewer lines in the code, the more difficult it is for antivirus solutions to detect them.

In the new version of the malware, the developers have changed the name of the process it masks as. Now it is the httpd process, a name commonly used by the more famous Apache web server. The reason is the desire to hide malicious activity from users, since the Apache web server is included by default in many Linux distributions.

Let me remind you that about the Linux malware Drovorub, that allows taking control of Trio radio stations.

William Reddy

I am from Ireland. My parents bought me a computer when I was 11, and several month after I have got a virus on this PC. I decided to enter the INSA Centre Val de Loire university after being graduated from the school. This French educational institution was offering a brand-new cybersecurity course. After getting the master degree in cybersecurity, I've started working in as virus analyst in a little anti-malware vendor. In 2018, I've decided to start Virus Removal project. The main target of this site is to help people to deal with PC viruses of any kind.

Leave a Reply

Your email address will not be published. Required fields are marked *


Back to top button