Stantinko is a modular trojan that has infected victims, undetected, for about five years. It infects victims via pirated software, often spread through torrents. It distracts the victim, drawing their attention to other unwanted apps while it installs the software, setting up its malicious code - the malware's main module and two Windows services, one of which enables boot persistence. Even if antivirus software detected one of the two Windows services, the one can reinstall the other, further maintaining persistence. It was able to remain undetected for so long largely because the code was split in two and contained hidden malicious commands. Stantinko has advanced capabilities including: conducting brute-force attacks on Joomla! and WordPress administrative panels, performing distributed and anonymous searches on Google to find Joomla! and WordPress sites, and using compromised Joomla! websites as C2 servers. It also contains a backdoor that can conduct reconnaissance and exfiltrate data. Additionally, it can conduct Facebook fraud by creating accounts, "liking" photos or pages, and adding friends. Despite the advanced capabilities, the threat actors are seemingly financially-motivated, using the malware for adware purposes. It was injected into two Chrome extensions, "Teddy Protection" and "The Safe Surfing," both claiming to be child protection and web surfing filters. The extensions, however, actually hijack user's clicks in search results on the search engine Rambler Russian. The actors target Russian speaking users with 46 and 33 percent of infected computers residing in Russia and the Ukraine, respectively.

Technical Details

  • ESET researchers provide technical analysis of Stantinko, here.