ESET researchers have unearthed a botnet of some 500,000 infected machines engaged mostly in ad-related fraud by using malicious Chrome extensions, but also Facebook fraud and brute-forcing Joomla and WordPress websites.
In addition to this, the compromised machines are also equipped with a fully featured backdoor, which allows the operators to spy on all the victims, and to download additional malware on the computers.
A long-standing operation
There are many unusual things about the so-called Stantinko operation:
- It targets mostly Russian and Ukrainian users
- The operators have managed to publish two ad injection browser extensions on the Chrome Web Store, from which the infected machines would download and install them
- In most of the Stantinko components, the malicious code is concealed inside legitimate free and open source software that has been modified and recompiled
- The operation has been active – and well concealed – since 2012.
According to the researchers, the operators managed to keep their work mostly undetected because the make heavy use of code encryption and make reverse engineering efforts difficult by making sure multiple parts are needed to conduct a complete analysis.
“There are always two components involved: a loader and an encrypted component. The malicious code is concealed in the encrypted component that resides either on the disk or in the Windows Registry. This code is loaded and decrypted by a benign-looking executable,” they explained.
“The key to decrypt this code is generated on a per-infection basis. Some components use the bot identifier and others use the volume serial number from its victim PC’s hard drive. Making reliable detections based on the non-encrypted components is a very difficult task, since artifacts residing on the disk do not expose malicious behavior until they’re executed.”
To assure persistence, the threat installs two malicious Windows services – if one is found and uninstalled, the other will reinstall it, and vice versa.
Infection and activity
The initial installation vector (dubbed FileTour) is usually posing as a torrent file for pirated software. Once the user runs the file, the malware installs several pieces of software, while in the background also installing the first malicious Windows service.
From that moment on, the malware downloads and installs the two malicious Chrome extensions – “The Safe Surfing” and “Teddy Protection” – whose purpose is to inject advertisements or redirect users to specific sites when, for example, they search for something via the Russian search engine Rambler and click on one of the offered links.
The botnet operators are paid for the traffic they provide to advertisers, but that’s not their only source of revenue.
The Stantinko backdoor also features several plugins, which allow them to:
- Perform massive distributed searches for Joomla and WordPress websites, and brute-force those installation’s admin panels (they probably sell on the compromised credentials)
- Creating Facebook accounts, like pictures or pages, adding friends (prices are around $15 per 1000 Facebook likes)
- Download additional malware, exfiltrate data, etc.
“Even though it isn’t noticeable to the user, due to the absence of CPU intensive tasks, Stantinko is a major threat, as it provides a large source of fraudulent revenue to cybercriminals. Moreover, the presence of a fully featured backdoor allows the operators to spy on all the victimized machines,” the researchers noted.
If you suspect your machine might be part of the botnet, you might want to search your computer for one of many Indicators of Compromise provided by ESET.