Jaysu
Banned
- Joined
- 21.09.20
- Messages
- 121
- Reaction score
- 776
- Points
- 63
The operators of one of the oldest active botnets in existence today, Stantinko, have updated their Trojan for Linux, and now, to bypass detection, it disguises itself as a legitimate Apache web server (httpd) process.
The stantinko botnet was first discovered in 2012 and initially only attacked Windows users. The malware was distributed through hacked programs or bundled with other applications and used to display unwanted ads or cryptocurrency miners on the infected system.
As profits from malware began to grow, botnet operators began to upgrade their code. For example, in 2017, a version of the Trojan appeared for Linux devices. Masquerading as a SOCKS5 proxy, this version of the malware turned infected Linux devices into nodes in a larger proxy network. Infected systems were used for brute force attacks on content management systems( CMS), databases, and other web-based systems.
After the system is compromised, Stantinko operators increase their privileges to access the OS (Linux or Windows) installs a copy of the malware and a cryptominer.
The version of the Linux Trojan discovered in 2017 was 1.2. in a recent report, the specialists of the information security company Intezer Labs described version 2.17. The new version of malware weighs less and contains much fewer features than the version three years ago, which is quite unusual, because over the years, as a rule, malware becomes more voluminous.
Malware operators have removed all secondary functions from their code, leaving only the most important functions, including the proxy function. Another reason for reducing the size of the Trojan is the desire of developers to minimize the number of digital fingerprints they leave. The fewer lines in the code, the harder it is for antivirus solutions to detect them.
In the new version of the Trojan, the developers changed the name of the process under which it is disguised. This is now the httpd process, a name commonly used by the better-known Apache web server. The reason is to hide malicious activity from the eyes of users, since the Apache web server is included in many Linux distributions by default.
The stantinko botnet was first discovered in 2012 and initially only attacked Windows users. The malware was distributed through hacked programs or bundled with other applications and used to display unwanted ads or cryptocurrency miners on the infected system.
As profits from malware began to grow, botnet operators began to upgrade their code. For example, in 2017, a version of the Trojan appeared for Linux devices. Masquerading as a SOCKS5 proxy, this version of the malware turned infected Linux devices into nodes in a larger proxy network. Infected systems were used for brute force attacks on content management systems( CMS), databases, and other web-based systems.
After the system is compromised, Stantinko operators increase their privileges to access the OS (Linux or Windows) installs a copy of the malware and a cryptominer.
The version of the Linux Trojan discovered in 2017 was 1.2. in a recent report, the specialists of the information security company Intezer Labs described version 2.17. The new version of malware weighs less and contains much fewer features than the version three years ago, which is quite unusual, because over the years, as a rule, malware becomes more voluminous.
Malware operators have removed all secondary functions from their code, leaving only the most important functions, including the proxy function. Another reason for reducing the size of the Trojan is the desire of developers to minimize the number of digital fingerprints they leave. The fewer lines in the code, the harder it is for antivirus solutions to detect them.
In the new version of the Trojan, the developers changed the name of the process under which it is disguised. This is now the httpd process, a name commonly used by the better-known Apache web server. The reason is to hide malicious activity from the eyes of users, since the Apache web server is included in many Linux distributions by default.