Stantinko’s Linux malware now masquerades as an Apache web server
Stantinko, one of the oldest malware botnets still in operation today, has rolled out updates to its Linux malware class, upgrading its Trojan to present itself as the process of legitimate Apache web server (httpd) to make detection more difficult on infected hosts.
The upgrades, spotted by security firm Intezer Labs, confirm that despite a period of inactivity regarding code changes, the Stantinko botnet continues to function even today.
A little history of Stantinko
The Stantinko botnet was first detected in 2012. The group behind this malware began operating by distributing the Stantinko Trojan as part of application bundles or through hacked applications.
At first, only Windows users were targeted, with the malware using infected hosts to display unwanted ads or to install a hidden cryptocurrency miner.
As the botnet grew and began to generate more profit, its code evolved over the years. A considerable update was discovered in 2017 [see PDF report] when Slovak security firm ESET spotted Stantinko also deploying special versions of its malware for Linux systems.
This Linux version acted as a SOCKS5 proxy, with Stantinko turning infected Linux systems into nodes into a larger proxy network.
Each of these Linux systems would be used to launch brute force attacks against content management systems (CMS) and various web systems, such as databases. Once these systems were compromised, the Stantinko gang elevated their access to the underlying server operating system (Linux or Windows), then deployed a copy of themselves and a crypto-miner to generate even more profit for the authors. malware.
New version of Stantinko Linux
But crypto-mining botnets like Stantinko cost a dime a dozen, and they’re usually not tracked with the same vigor as ransomware gangs or botnets like Emotet or Trickbot.
The latest version of Stantinko’s Linux malware was spotted in 2017, with a version number of 1.2. But in a report released today and shared with ZDNet, Intezer Labs said that after three years, they recently discovered a new version of Stantinko’s Linux malware, bearing the version number 2.17 – a huge leap from the previous known version.
However, despite the huge version gap between the two versions, the Intezer team notes that the new version is actually lighter and contains less features than the old version, which is odd because malware tend to multiply over the years.
One of the reasons for this weird decision is that the Stantinko gang may have removed all the glitter from their code and left only the features they need and use on a daily basis. This includes the proxy function, still present in the new version, and crucial for its brute force operations.
Another reason could also be that the Stantinko gang was trying to reduce the malware’s fingerprint compared to antivirus solutions. Fewer lines of code means less malicious behavior to detect.
And Intezer notes that Stantinko almost succeeded, as the new version had a very low detection rate on the VirusTotal aggregate virus scanner, going almost unnoticed.
Impersonate Apache’s web server
Additionally, the Stantinko gang seems to have put a primer on stealth in this new release, as they have also changed the name of the process used by their Linux malware, choosing to go with it. httpd, the name usually used by the most famous Apache web server.
This was obviously done to prevent server owners from spotting malware during regular visual inspection, as the Apache web server is often included by default in many Linux distributions, and this process typically runs on Linux systems. which Stantinko commonly infects.
Either way, Linux system administrators should realize that as the Linux operating system becomes more prevalent in today’s corporate environments, more and more malware operations will begin to take hold. target Linux, and many gangs will also contribute their expertise and cunning from years of Windows malware development. .
What Linux server owners need to know is that although Linux is a secure operating system, malware often burrows deep into systems due to misconfigurations. In the case of Stantinko, this botnet attacks server administrators who use weak passwords for their databases and CMS.
In fact, this is how all malware works, regardless of the operating system.
Malware rarely exploits vulnerabilities at the operating system level to gain a foothold in a system. In most cases, malware gangs typically focus on:
- misconfigurations of applications that left ports open or administration panels exposed online;
- obsolete applications left without security patches;
- systems / applications that use weak passwords for Internet services;
- encourage users to take dangerous actions (social engineering);
- or by exploiting bugs in applications that run on the operating system.
Exploits in the Linux operating system itself are rarely used, and usually after malware has already gained access to a system through any of the above methods.
These exploits, used as second-stage payloads, are typically used to elevate privileges from low-level accounts to administrator accounts, so that the malware can take full control of the attacked system. Therefore, even if Linux (or another operating system) is not directly targeted, it should always run up-to-date versions to prevent these user-root elevations once attackers gain a foothold on infected hosts. .
Protecting systems from attacks is easy because most system administrators need to keep applications up to date and use strong passwords. Still, it’s still hard work because, in most cases, companies are running hundreds or thousands of systems at the same time, and attackers only need to find a weak link to get in.