SECURITY
SECURITY
SECURITY
Botnet uses YouTube to hide its cryptomining activities
In a sign of the times, a longstanding botnet has changed its behavior, switching its activity to cryptomining while using YouTube as part of its process.
Discovered Tuesday by security researchers at ESET spol s.r.o, the shift involves the Statinko Botnet that has been around since 2012 and was previously used as part of a massive adware campaign. Those behind the botnet are believed to be from the former Soviet block since it has traditionally mainly targeted Russia, Ukraine, Belarus and Kazakhstan.
The botnet, estimated to consist of 500,000 computers, is believed to have shifted from adware and other nefarious activities around August 2018 to distributing a cryptomining module.
Botnets, Trojan viruses and other forms of hacking that attempt to inject cryptomining scripts onto targeted systems are nothing new. Where the Statinko Botnet gets interesting is the ways it attempts to avoid detection, including the use of YouTube, of all unexpected places.
The cryptomining module being distributed by Statinko is said to be a highly modified version of xmr-stak, a popular open-source cryptominer which has unnecessary strings and functionality stripped from it in an attempt to evade detection.
In an effort to evade detection, the modified script, dubbed CoinMiner.Stantinko, uses YouTube to define proxies instead of communicating directly with a mining pool, a usual detection trigger. The videos uploaded to YouTube include strings of text in their description that the script accesses to undertake its illicit Monero mining. Since the script is accessing YouTube for the information, existing security products would usually ignore the requests, because accessing YouTube is a regular activity not customarily flagged.
The ESET security researchers contacted YouTube and the videos and related accounts have been taken down. But the case highlights some of the more interesting ways hackers are using common sites and tools to avoid detection.
“Our discovery shows that the criminals behind Stantinko continue to expand the ways they leverage the botnet they control,” the researchers concluded. “This remotely configured cryptomining module… shows this group continues to innovate and extend its money-making capabilities.”
Image: christiaancolen/Flickr
A message from John Furrier, co-founder of SiliconANGLE:
Support our open free content by sharing and engaging with our content and community.
Join theCUBE Alumni Trust Network
Where Technology Leaders Connect, Share Intelligence & Create Opportunities
11.4k+
CUBE Alumni Network
C-level and Technical
Domain Experts
15M+
theCUBE
Viewers
Connect with 11,413+ industry leaders from our network of tech and business leaders forming a unique trusted network effect.
SiliconANGLE Media is a recognized leader in digital media innovation serving innovative audiences and brands, bringing together cutting-edge technology, influential content, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — such as those established in Silicon Valley and the New York Stock Exchange (NYSE) — SiliconANGLE Media operates at the intersection of media, technology, and AI. .
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a powerful ecosystem of industry-leading digital media brands, with a reach of 15+ million elite tech professionals. The company’s new, proprietary theCUBE AI Video cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
