Stantinko's Linux malware now poses as an Apache web server

Eight-year-old Stantinko botnet updates its Linux malware.
Written by Catalin Cimpanu, Contributor

Stantinko, one of the oldest malware botnets still operating today, has rolled out updates to its class of Linux malware, upgrading its trojan to pose as the legitimate Apache web server process (httpd) in order to make detection harder on infected hosts.

The upgrades, spotted by security firm Intezer Labs, come to confirm that despite a period of inactivity in regards to code changes, the Stantinko botnet continues to operate even today.

A short history of Stantinko

The Stantinko botnet was first detected in 2012. The group behind this malware began operating by distributing the Stantinko trojan as part of app bundles or via pirated apps.

Only Windows users were targeted in the beginning, with the malware using infected hosts to show unwanted ads or for installing a hidden cryptocurrency miner.

As the botnet grew in size and started generating more profits, its code evolved across the years. A considerable update was discovered in 2017 [see PDF report] when Slovak security firm ESET spotted Stantinko also deploying special versions of its malware for Linux systems.

This Linux version acted as a SOCKS5 proxy, with Stantinko turning infected Linux systems into nodes into a larger proxy network.

Each of these Linux systems would be used to launch brute-force attacks against content management systems (CMSs) and various web-based systems, such as databases. Once it compromised these systems, the Stantinko gang would elevate its access to the underlying server OS (Linux or Windows) and then deployed a copy of itself and a crypto-miner to generate even more profits for the malware authors.

New Stantinko Linux version

But crypto-mining botnets like Stantinko are a dime a dozen, and they aren't usually tracked with the same vigor as ransomware gangs or botnets like Emotet or Trickbot.

The last version of Stantinko's Linux malware was spotted back in 2017, having a version number of 1.2. But in a report released today and shared with ZDNet, Intezer Labs said that after three years, they have recently discovered a new version of Stantinko's Linux malware, having a version number of 2.17 — a huge jump from the previous known release.

However, despite the huge version gap between the two releases, the Intezer team notes that the new version is actually leaner and contains fewer features than the older release, which is odd, as malware tends to bulk up as years go by.

One reason behind this odd move is that the Stantinko gang might have removed all the chaff from its code and left only the features they need and use on a daily basis. This includes the proxy feature, still present in the newer release, and crucial for its brute-forcing operations.

Another reason might also be that the Stantinko gang was attempting to reduce the malware's fingerprint against antivirus solutions. Fewer lines of code mean less malicious behavior to detect.

And Intezer notes that Stantinko almost pulled it off, as the newer version had a very low detection rate on the VirusTotal aggregated virus scanner, almost going by undetected.

Posing as Apache's web server

Furthermore, the Stantinko gang appears to have put a primer on stealth in this newer release because they also modified the process name its Linux malware uses, choosing to go with httpd, the name usually used by the more famous Apache web server.

This was obviously done to prevent server owners from spotting the malware at a regular visual inspection, as the Apache web server is often included by default in many Linux distros, and this process is usually running on Linux systems that Stantinko generally infects.

Either way, Linux system administrators need to realize that as the Linux OS becomes more widespread in enterprise environments today, more and more malware operations will begin targeting Linux, and many gangs will also bring over all their expertise and trickery from years of developing Windows malware.

What Linux server owners need to know is that despite Linux being a secure OS, malware often burrows deep inside systems because of misconfigurations. In Stantinko's case, this botnet goes after server administrators who use weak passwords for their databases and CMSs.

In fact, this is how all malware operates, regardless of operating system.

Malware rarely exploits OS-level vulnerabilities to gain a foothold on a system. In most cases, malware gangs usually focus on:

  • app misconfigurations that have left open ports or admin panels exposed online;
  • outdated apps left without security patches;
  • systems/apps that use weak passwords for internet-facing services;
  • tricking users into taking dangerous actions (social engineering);
  • or exploiting bugs in the apps that run on top of the operating system.

Exploits in the Linux OS itself are rarely used, and usually after the malware has already gained access to a system through one of the methods above.

These exploits, employed as second-stage payloads, are usually employed to elevate privileges from low-level to admin accounts, so the malware can take full control of the attacked system. This is why, even if Linux (or other OS) isn't targeted directly, it still needs to run up-to-date versions to prevent these user-to-root elevations once attackers gain a foothold on infected hosts.

Keeping systems safe from attacks is easy, as most system administrators need to keep apps up-to-date and to use strong passwords. Yet, this is always hard work because, in most cases, companies run hundreds or thousands of systems at the same time, and attackers only need to find one weak link to get in.

Linux turns 30: The biggest events in its history so far

Editorial standards