Stantinko Botnet Now Targeting Linux Servers

Stantinko, one of the oldest malware botnets still operating today, has rolled out updates to its class of Linux malware, upgrading its trojan to pose as the legitimate Apache web server process (httpd) in order to make detection harder on infected hosts.

According to a new analysis published by Intezer,come to confirm that despite a period of inactivity in regards to code changes, the Stantinko botnet continues to operate even today.

Intezer identified a new version of this Linux trojan masqueraded as httpd. httpd is Apache Hypertext Transfer Protocol Server, a commonly used program on Linux servers. The sample’s version is 2.17, and the older version is 1.2.

This Linux version acted as a SOCKS5 proxy, with Stantinko turning infected Linux systems into nodes into a larger proxy network.

Each of these Linux systems would be used to launch brute-force attacks against content management systems (CMSs) and various web-based systems, such as databases. Once it compromised these systems, the Stantinko gang would elevate its access to the underlying server OS (Linux or Windows) and then deployed a copy of itself and a crypto-miner to generate even more profits for the malware authors.

Upon execution, the malware will validate a configuration file which is delivered together with the malware on the infected machine. The malware expects the configuration file to be located at “/etc/pd.d/proxy.conf”. If the configuration file does not exist, or if it lacks the required structure, the malware exits without conducting any additional malicious activity.

The POST request is sent to one of the following paths on the C&C server:

/kbdmai/index.php

/kbdmai/dht/index.php

/kbdmai/DRTIPROV/index.php

/kbdmai/winsvc/index.php

/kbdmai/anti_rstrui/index.php

IOCs

New version: 2.17

1de81bf6ee490b6bebe9f27d5386a48700e8431f902f4f17d64ddc5d8509ca7a

Old version: 1.2

889aa5a740a3c7441cdf7759d4b1c41c98fd048f4cf7e18fcdda49ea3911d5e5

968b41b6ca0e12ea86e51e0d9414860d13599cd127ad860e1c52c2678f4f2cb9

43a6894d5953b37f92940d5c783c9977690f358b5e25bba8c096fa54657bb2e5

a305d488733d50ea92a2794cb6e0aa9d1d176e2c8906305ea48ff503fc2eb276

Acknowledge and Reference:

https://www.intezer.com/blog/research/stantinkos-proxy-after-your-apache-server/

https://www.zdnet.com/article/stantinkos-linux-malware-now-poses-as-an-apache-web-server/

https://thehackernews.com/2020/11/stantinko-botnet-now-targeting-linux.html

Share