A new Stantinko Bot masqueraded as httpd targeting Linux servers

Researchers spotted a new variant of an adware and coin-miner botnet operated by Stantinko threat actors that now targets Linux servers.

Researchers from Intezer have spotted a new variant of an adware and coin-miner botnet that is operated by Stantinko threat actors since 2012.

The Stantinko botnet was first spotted by ESET in 2017, at the time it infected around half a million computers worldwide. Operators behind the botnet powered a massive adware campaign active since 2012, crooks mainly targeted users in Russia, Ukraine, Belarus, and Kazakhstan searching for pirated software.

According to a new analysis published by Intezer, the Linux trojan masqueraded as httpd, which is the Apache Hypertext Transfer Protocol Server commonly used on Linux servers. At the time of this analysis, the new version of the Trojan has a detection rate of one in VirusTotal. The sample, an unstripped 64-bit ELF binary, was uploaded on November 7, 2020 from Russia.

“We have identified a new version of this Linux trojan masqueraded as httpd. httpd is Apache Hypertext Transfer Protocol Server, a commonly used program on Linux servers. The sample’s version is 2.17, and the older version is 1.2*.” reads the analysis published by Intezer.

“We believe this malware is part of a broader campaign that takes advantage of compromised Linux servers.”

Upon execution, the Trojan will validate a configuration which is located at “/etc/pd.d/proxy.conf” and is delivered together with the malware

Then the malware creates a socket and a listener to accept connections from other infected systems.

“Once a client connects to the listener, the program calls the on_client_connect function. First, it checks if the request method is GET, POST or NOTIFY.” continues the analysis.

“If the request method is GET, the program will reply with a 301 redirect HTTP response containing the redirect_url parameter from the configuration file.”

If the request method is HTTP the proxy passes the request to an attacker-controlled server, which then responds with an appropriate payload that’s forwarded by the proxy to the client.

In case the compromised server will receive a HTTP Get request from a non-infected client, it replies with an HTTP 301 redirect to a preconfigured URL which is specified in the configuration file.

The new variant of the malware shares several function names with the old version, experts also noticed some hardcoded paths that are similar to the ones employed in previous Stantinko campaigns.

“Stantinko is the latest malware targeting Linux servers to fly under the radar, alongside threats such as Doki , IPStorm and RansomEXX ,” the report concludes. “We think this malware is part of a broader campaign that takes advantage of compromised Linux servers.”

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.