UPDATED 20:54 EDT / NOVEMBER 28 2019

26121122200_5ba118d193_c SECURITY

Botnet uses YouTube to hide its cryptomining activities

In a sign of the times, a longstanding botnet has changed its behavior, switching its activity to cryptomining while using YouTube as part of its process.

Discovered Tuesday by security researchers at ESET spol s.r.o, the shift involves the Statinko Botnet that has been around since 2012 and was previously used as part of a massive adware campaign. Those behind the botnet are believed to be from the former Soviet block since it has traditionally mainly targeted Russia, Ukraine, Belarus and Kazakhstan.

The botnet, estimated to consist of 500,000 computers, is believed to have shifted from adware and other nefarious activities around August 2018 to distributing a cryptomining module.

Botnets, Trojan viruses and other forms of hacking that attempt to inject cryptomining scripts onto targeted systems are nothing new. Where the Statinko Botnet gets interesting is the ways it attempts to avoid detection, including the use of YouTube, of all unexpected places.

The cryptomining module being distributed by Statinko is said to be a highly modified version of xmr-stak, a popular open-source cryptominer which has unnecessary strings and functionality stripped from it in an attempt to evade detection.

In an effort to evade detection, the modified script, dubbed CoinMiner.Stantinko, uses YouTube to define proxies instead of communicating directly with a mining pool, a usual detection trigger. The videos uploaded to YouTube include strings of text in their description that the script accesses to undertake its illicit Monero mining. Since the script is accessing YouTube for the information, existing security products would usually ignore the requests, because accessing YouTube is a regular activity not customarily flagged.

The ESET security researchers contacted YouTube and the videos and related accounts have been taken down. But the case highlights some of the more interesting ways hackers are using common sites and tools to avoid detection.

“Our discovery shows that the criminals behind Stantinko continue to expand the ways they leverage the botnet they control,” the researchers concluded. “This remotely configured cryptomining module… shows this group continues to innovate and extend its money-making capabilities.”

Image: christiaancolen/Flickr

Since you’re here …

Show your support for our mission with our one-click subscription to our YouTube channel (below). The more subscribers we have, the more YouTube will suggest relevant enterprise and emerging technology content to you. Thanks!

Support our mission:    >>>>>>  SUBSCRIBE NOW >>>>>>  to our YouTube channel.

… We’d also like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.

If you like the reporting, video interviews and other ad-free content here, please take a moment to check out a sample of the video content supported by our sponsors, tweet your support, and keep coming back to SiliconANGLE.