KANALCOIN NEWS – The cyber criminals who are the masterminds behind the Crypto mining Stantiko Botnet devised several clever methods to evade detection. A malware analyst from cyber security company (ESET), namely Vladislav Hrčka, was very happy when he managed to announce the latest findings from his company to expose cybercriminals. This is because the analyst sees that the criminals behind the Stantiko Botnet are constantly improving and developing new modules, which often contain or even use non-standard and quite interesting techniques.
Since 2012, there have been half a million strong and active Crypto mining botnets which are spread via malware embedded in pirated content. The target is mainly users in Russia, Ukraine, Belarus, and also Kazakhstan.
Initially the crime focused on click fraud, ad injection, social network fraud, and password theft and attacks. But in mid-2018, it propagated Crypto mining to the arsenal using the Monero mining module. So this module has components that can detect software security and shut down any rival Crypto mining operations.
Because the power of this module is mostly the resources of a compromised machine, but intelligently modified using suspension mining to avoid detection when a manager opens up a user and finds out why the computer is running so slowly. So that in essence the task of the manager here will not help.
Therefore, in disclosing this crime, CoinMiner.Stantiko does not communicate with the mining pool directly, but instead uses a proxy from the IP address obtained through the description text on the YouTube video. So before that, in November last year, ESET already had a module to deal with this crime, but for Crypto mining crimes, new techniques have been added to avoid detection. Which is a distillation technique that is carried out continuously, such as:
- Obfuscation of strings, where strings are constructed and will only exist in memory when they are to be used.
- Dead strings and resources, is the addition of resources and strings with no impact on their function.
- Control-flow obfuscation, where there will be a transformation of control flow to a hard-to-read form and make the basic block execution sequence unpredictable.
- Dead code, is code that has never been executed whose sole purpose is to make files look more legitimate.
- Do-nothing code, is additional code that runs but doesn’t do anything. Because this is a way to avoid detecting behavior.
So in essence the most prominent feature of this module is the way this system hinders analysis and avoids detection. Because the use of source-level analysis is done with random granules, and in fact the Stantiko operator compiles this module for every new victim of Crypto mining crime.