Posted on July 22, 2017 at 1:46 PM
99 pages long report was released yesterday by ESET, a Slovak antivirus maker, that informed of over half a million users having their computers infected with a new malware called Stantinko.
Despite the malware being very advanced and capable of making a lot of damage, ESET said that its authors used the malware for hijacking search results and attacking Joomla and WordPress sites only.
Statinko has an impressive infection system as well as other features that enable the operators of the malware to do pretty much anything on the infected computer.
The way the malware operates is that it enters the device by a pirated or cracked software, usually spread via torrents. The way the operators draw users’ attention away from the cracked software being installed is by installing other unwanted apps loudly.
ESET made a video explaining how Statinko does this.
The code that is being installed at that time is the malware’s main module as well as two Windows services. In case an antivirus finds one of these, the service that isn’t detected can reinstall the other, which allows Statinko to survive on the infected device for much longer than usual.
According to ESET, earlier versions of Statinko can be traced all the way back to 2012, which means that the malware has been five years in the making at least without being found.
In the report that they released, the researchers speculated of the code of the malware being split in two, making the commands hidden from security researchers.
But no matter how advanced the malware is, it seems that their makers aren’t interested in going further than installing adware with it. The malware’s main goal is to install two Chrome extensions, “Teddy Protection” and “The Safe Surfing”, that are posing as the child protection filters while in fact the extensions just steal user’s clicks when they go to search results in the Rambler Russian search engine. There is a video explaining this also.
ESET says that no other search engines have been targeted, so it leaves the experts believing that the malware is a local thing, with the 500,000 victims being mainly in Russia (46%), Ukraine (33%), Belarus (8%), Kazakhstan (8%), and other countries part of the old Soviet space.
ESET experts believe that the operators behind the Statinko malware are only interested in monetary rewards, completely leaving the malware’s potential for cyber-espionage and similar high-level cyber crimes behind.
Further details, including IOCs, can be found in ESET’s Stantinko – Teddy Bear Surfing Out of Sight report.