Operators of one of the oldest active botnets today, Stantinko, have updated their Trojan for Linux. The Linux version of the Stantinko disguised is now masked as a legitimate Apache web server (httpd) process to bypass detection.
The Stantinko malware was first discovered in 2012 and initially attacked only Windows users. The malware was distributed through hacked programs or bundled with other applications and was used to display unwanted advertisements or cryptocurrency miners on the infected system.
As profits from malware began to rise, botnet operators began to modernize their code. For example, in 2017, a version of the Trojan appeared for Linux devices.
“Disguised as a SOCKS5 proxy, this version of the malware turned infected Linux devices into nodes in a larger proxy network. The infected systems were used to carry out brute force attacks on content management systems (CMS), databases and other web systems”, – information security specialists tell.
After the system is compromised, Stantinko operators escalate their privileges to access the OS (Linux or Windows) and install a copy of the malware and a cryptominer.
In 2017 was discovered Linux Trojan version 1.2. In a recent report, specialists from the information security company Intezer Labs described version 2.17.
“We have identified a new version of this Linux trojan masqueraded as httpd. httpd is Apache Hypertext Transfer Protocol Server, a commonly used program on Linux servers. The sample’s version is 2.17, and the older version is 1.2*. We believe this malware is part of a broader campaign that takes advantage of compromised Linux servers”, — experts from Intezer Labs tell.
The new version of malware weighs less and contains much fewer features than the version three years ago, which is quite unusual, because malware tends to grow in size over the years.
The malware operators have removed everything secondary from their code, leaving only the most important functions, including the proxy function. Another reason for the Trojan’s size reduction is the desire of developers to minimize the number of digital fingerprints they leave. The fewer lines in the code, the more difficult it is for antivirus solutions to detect them.
In the new version of the malware, the developers have changed the name of the process it masks as. Now it is the httpd process, a name commonly used by the more famous Apache web server. The reason is the desire to hide malicious activity from users, since the Apache web server is included by default in many Linux distributions.
Let me remind you that about the Linux malware Drovorub, that allows taking control of Trio radio stations.