SECURITY
SECURITY
SECURITY
Botnet uses YouTube to hide its cryptomining activities
In a sign of the times, a longstanding botnet has changed its behavior, switching its activity to cryptomining while using YouTube as part of its process.
Discovered Tuesday by security researchers at ESET spol s.r.o, the shift involves the Statinko Botnet that has been around since 2012 and was previously used as part of a massive adware campaign. Those behind the botnet are believed to be from the former Soviet block since it has traditionally mainly targeted Russia, Ukraine, Belarus and Kazakhstan.
The botnet, estimated to consist of 500,000 computers, is believed to have shifted from adware and other nefarious activities around August 2018 to distributing a cryptomining module.
Botnets, Trojan viruses and other forms of hacking that attempt to inject cryptomining scripts onto targeted systems are nothing new. Where the Statinko Botnet gets interesting is the ways it attempts to avoid detection, including the use of YouTube, of all unexpected places.
The cryptomining module being distributed by Statinko is said to be a highly modified version of xmr-stak, a popular open-source cryptominer which has unnecessary strings and functionality stripped from it in an attempt to evade detection.
In an effort to evade detection, the modified script, dubbed CoinMiner.Stantinko, uses YouTube to define proxies instead of communicating directly with a mining pool, a usual detection trigger. The videos uploaded to YouTube include strings of text in their description that the script accesses to undertake its illicit Monero mining. Since the script is accessing YouTube for the information, existing security products would usually ignore the requests, because accessing YouTube is a regular activity not customarily flagged.
The ESET security researchers contacted YouTube and the videos and related accounts have been taken down. But the case highlights some of the more interesting ways hackers are using common sites and tools to avoid detection.
“Our discovery shows that the criminals behind Stantinko continue to expand the ways they leverage the botnet they control,” the researchers concluded. “This remotely configured cryptomining module… shows this group continues to innovate and extend its money-making capabilities.”
Image: christiaancolen/Flickr
A message from John Furrier, co-founder of SiliconANGLE:
Support our mission to keep content open and free by engaging with theCUBE community. Join theCUBE’s Alumni Trust Network, where technology leaders connect, share intelligence and create opportunities.
- 15M+ viewers of theCUBE videos, powering conversations across AI, cloud, cybersecurity and more
- 11.4k+ theCUBE alumni — Connect with more than 11,400 tech and business leaders shaping the future through a unique trusted-based network.
About SiliconANGLE Media
SiliconANGLE Media is a recognized leader in digital media innovation, uniting breakthrough technology, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — with flagship locations in Silicon Valley and the New York Stock Exchange — SiliconANGLE Media operates at the intersection of media, technology and AI.
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a dynamic ecosystem of industry-leading digital media brands that reach 15+ million elite tech professionals. Our new proprietary theCUBE AI Video Cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
