Story image

ESET uncovers stealthy Stantinko malware's click fraud prowess

25 Jul 17

ESET has spotted a malware strain that tricks users into downloading pirated software from dummy torrent sites, and it has so far affected half a million users.

The malware, dubbed Stantinko, has been lurking for the past five years but it has been so adept at changing its form that has been undetected since then.

Researchers say that Stantinko is made up of a bot network. That network is monetised through browser extensions that inject fake ads when browsing the web.

“It allows Stantinko operators to be paid for the traffic they provide to these adverts. We even found users would reach the advertiser’s website directly through Stantinko-owned ads,” comments ESET malware researcher Matthieu Faou.

When Stantinko is installed it can create fake Facebook accounts, like pictures and pages and add friends. It can also conduct Google searches anonymously.

ESET researchers say that Stantinko uses code that looks legitimate, but hidden code is encrypted in Windows Registry or encrypted in a file.

“It is difficult to get rid of once you have it, as each component service has the ability to reinstall the other in case one of them is deleted from the system. To fully eliminate the problem, the user has to delete both services from their machine at the same time,” comments ESET malware researcher Frédéric Vachon.

A key is generated during the initial compromise, which then decrypts the code. Because the command & control server must then launch new components, it’s more difficult to uncover until that happens.

Once launched, the malware then installs ‘The Safe Surfing’ and ‘Teddy Protection’ browser plugins. While they look legitimate, Stantinko configured them to receive rules for click fraud and ad injection, comments ESET senior malware researcher Marc-Etienne Léveillé.

Once the malware is fully operational, attackers can use plugins to control the infected system. The searches can trawl Joomla and WordPress sites with the aim of conducting brute force attacks.

While it has so far been spotted targeting Russia, Ukraine, Belarus and Kazakhstan, the malware’s build is tipped to be a goldmine for click fraud hackers.

The compromised sites can then be sold on the dark web, while its Facebook activities can sell ‘likes’ to unsuspecting users.

While Stantinko could technically be classed as adware, its activities through internet searches, bots and controlling systems also class it as a dangerous backdoor. Researchers point out that it could be used for other malicious purposes.

Hillstone CTO's 2019 security predictions
Hillstone Networks CTO Tim Liu shares what key developments could be expected in the areas of security compliance, cloud, security, AI and IoT.
Can it be trusted? Huawei’s founder speaks out
Ren Zhengfei spoke candidly in a recent media roundtable about security, 5G, his daughter’s detainment, the USA, and the West’s perception of Huawei.
Oracle Java Card update boosts security for IoT devices
"Java Card 3.1 is very significant to the Internet of Things, bringing interoperability, security and flexibility to a fast-growing market currently lacking high-security and flexible edge security solutions."
Sophos hires ex-McAfee SVP Gavin Struther
After 16 years as the APAC senior vice president and president for McAfee, Struthers is now heading the APJ arm of Sophos.
Security platform provider Deep Instinct expands local presence
The company has made two A/NZ specific leadership hires and formed several partnerships with organisations in the region.
Half of companies unable to detect IoT device breaches
A Gemalto study also shows that the of blockchain technology to help secure IoT data, services and devices has doubled in a year.
Stepping up to sell security services in A/NZ
WatchGuard Technologies A/NZ regional director gives his top tips on how to make a move into the increasingly lucrative cybersecurity services market.
Huawei founder publically denies spying allegations
“After all the evidence is made public, we will rely on the justice system.”