In a sign of the times, a longstanding botnet has changed its behavior, switching its activity to cryptomining while using YouTube as part of its process.

Discovered Tuesday by security researchers at ESET spol s.r.o, the shift involves the Statinko Botnet that has been around since 2012 and was previously used as part of a massive adware campaign. Those behind the botnet are believed to be from the former Soviet block since it has traditionally mainly targeted Russia, Ukraine, Belarus and Kazakhstan.

The botnet, estimated to consist of 500,000 computers, is believed to have shifted from adware and other nefarious activities around August 2018 to distributing a cryptomining module.

Botnets, Trojan viruses and other forms of hacking that attempt to inject cryptomining scripts onto targeted systems are nothing new. Where the Statinko Botnet gets interesting is the ways it attempts to avoid detection, including the use of YouTube, of all unexpected places.

The cryptomining module being distributed by Statinko is said to be a highly modified version of xmr-stak, a popular open-source cryptominer which has unnecessary strings and functionality stripped from it in an attempt to evade detection.

In an effort to evade detection, the modified script, dubbed CoinMiner.Stantinko, uses YouTube to define proxies instead of communicating directly with a mining pool, a usual detection trigger. The videos uploaded to YouTube include strings of text in their description that the script accesses to undertake its illicit Monero mining. Since the script is accessing YouTube for the information, existing security products would usually ignore the requests, because accessing YouTube is a regular activity not customarily flagged.

The ESET security researchers contacted YouTube and the videos and related accounts have been taken down. But the case highlights some of the more interesting ways hackers are using common sites and tools to avoid detection.

“Our discovery shows that the criminals behind Stantinko continue to expand the ways they leverage the botnet they control,” the researchers concluded. “This remotely configured cryptomining module… shows this group continues to innovate and extend its money-making capabilities.”

Image: christiaancolen/Flickr