Stantinko is a massive and sophisticated adware botnet primarily targeting users in Russia and Ukraine. Researchers at ESET have classified the malware powering this botnet as a "modular backdoor" as it allows the attackers behind the campaign to execute any command they wish on infected systems. Stantinko masquerades as pirated software and is often distributed through torrent sites. It is capable of evading antivirus software and maintains persistence by loading two malicious Windows services into the system's startup environment. In the event that one of these services is detected and killed, the remaining service can reinstall it. Stantinko also installs malicious browser extensions named The Safe Surfing and Teddy Protection, designed to perform click fraud, browser redirection, and ad injection on the victim's system. The creators have also developed a plugin designed to commit social media fraud by using victims' accounts to fraudulently "like" pages or add "friends" on Facebook. Lastly, Stantinko is capable of brute-forcing websites powered by Joomla and WordPress to gain administrative access. Once the attackers are able to log into the compromised sites, they sell the login credentials on underground markets so the sites can be used for malicious purposes. The Stantinko botnet is estimated to include approximately 500,000 infected systems at the time of this post.
Reporting and Technical Details:
- Stantinko: A Massive Adware Campaign Operating Covertly Since 2012 (WeLiveSecurity)
- ESET Waves Red Flag: Insight into Hidden Malware Affecting 500,000 Users (ESET)