The Stantinko botnet has weaponized unique techniques for stealthily mining Monero on about half a million computers under its control, according to Slovak internet security company ESET.
New obfuscating techniques
In its new post, ESET has outlined five new ways cryptojackers manage to obfuscate illicit cryptocurrency mining. The most elaborate one is generating the strings that are used by the malware in the computer’s memory. Meanwhile, the strings embedded in the module might not serve any purpose apart from deceiving the victim's antivirus software.
“Since all the strings to be used in a particular function are always assembled sequentially at the beginning of the function, one can emulate the entry points of the functions and extract the sequences of printable characters that arise to reveal the strings,” ESET researcher Vladislav Hrčka explains.
In order to avoid detection, bad actors also rely on such techniques as the addition of dead code and dead resources.
A new monetization strategy
The botnet, which started operating as early as in 2012, mainly targets users from Russia and Ukraine. Last year, the criminal behind it added a module Monero (XMR), the anonymous cryptocurrency, to generate more easy money. Prior to that, it would rely on advertising fraud and credential theft for monetizing.
Monero has been the darling of cryptojackers for years. As reported by U.Today, illegally mined coins account for more than four percent of the cryptocurrency’s total circulating supply.