Home > Cyber News > In-Depth Analysis of the Stantinko Malware – How to Protect Yourself

In-Depth Analysis of the Stantinko Malware – How to Protect Yourself

Stantinko Malware image

The infamous Stantinko malware family has turned out to be a menace to European countries. Computer hackers are using the dangerous virus to infect computers on a mass scale. According to the latest data about 4 million computers in Moscow are affected by the threat which accounts for about 20% of all machines in the capital city. Other countries that are heavily affected include Ukraine, Belarus and Latvia.

Related Story: Dreambot Banking Trojan Malware – Detect and Remove It

Stantinko Malware Description

The Stantinko malware has been active since 2002 where its first iterations were detected. Since then numerous versions have been created by criminal groups all over the world. A new major release was detected several months ago which are being used in large-scale attacks. The core Stantinko virus has been found to contain many advanced features that set it apart from other similar threats. One of the them is the fact that its code is encrypted and this makes it very hard for anti-malware and antivirus products to detect its presence. In fact the majority of the strains have been undetected for the last five years according to reports issued by security vendors.

Depending on the hacker configuration the Stantinko malware can adapt itself as a software payload installed as part of an installer or infected via s web script. It can also infect computers by utilizing other methods. Continue reading to find out how you can become victim of the virus.

Stantinko Malware Capabilities

The majority of the Stantinko malware samples showcase advanced features. Depending on the attained virus component the malware may execute different behavior patterns. Some of the newest samples show a modular structure that is compromised of two main components:

  1. Stantinko Loader – It is used to infiltrate the machines and extract the second part of the malware.
  2. Encrypted Virus Component – This part of the Stantinko Malware decrypts the malicious code and starts the infection process. The decryption process is done using a key pair that is generated for each individual host. This evades the ability to use master keys to identify the encrypted parts, a feature which severely limits detection by security software.

The security analysis reveals that the virus code is able to install itself deep into the system and attain a persistent state of execution – the virus carefully monitors system and user actions that may prevent its removal. The malware installs itself as two malicious Windows services (launched at system startup), the registry and several configuration files.

Statinko malware is able to reinstall itself in case a security app or the user attempts to delete it. The virus contains numerous anti-removal modules. To effectively eliminate the infections the victims need to use a quality anti-malware solution.

The Statinko malware family contacts hacker-operated command servers that can send in new versions of the virus code. The hackers can also execute remote commands to the infected hosts. There are several plugins that can be activated by the criminals compatible with the newer strains of the threat:

  • Password Brute Force Module – This is dictionary-based attack that is able to crack protected systems, applications and services used by the victims.
  • Web Services Attack – This plugin makes the infected computers use search engines to locate vulnerable web services such as the WordPress blog engine and the Joomla content management system. To evade detection it mimics human behavior by using timestamps and popular services to craft packets that appear as legitimate queries.
  • Trojan Module – The Stantinko virus engine implements a backdoor that allows the criminals to spy on the victims in real time, execute arbitrary commands and harvest sensitive data.
  • Facebook Bot – This is a fully-featured bot that uses the Facebook social network to initiate fraud directed by the criminals. It is able to create fake accounts, like target pictures or pages and friends adding to the counterfeit profiles. It includes a technique that is able to bypass CAPTCHA protection.

Stantinko Malware distribution tactics image

How Stantinko Malware Infections Happen

One of the most common ways to attain an Stantinko virus infection is by browsing hacker-controlled sites. The criminals have set up various scripts and counterfeit services that pose as legitimate and well-known companies. The network that is used to spread the malware includes all kinds of dangers – malicious ad networks and redirects. One of the large-scale attack campaigns was found to use two dangerous browser extensions – The Safe Surfing and Teddy Protection. They modify important browser settings by redirecting the user to a hacker-controlled site and also display criminal ads that generate income for the operators. Several sites that promote free or pirate versions of popular software have also been identified to spread the malware.

Computer users should be extra careful when navigating and using untrustworthy sites. They should be well-instructed on detecting and removing phishing (fake) web pages.

Another source of infection include fake sites linked on the popular Rambler portal which is used by the majority of the Russian-speaking users. It has been found that the infected computers are recruited into a worldwide botnet network that is also used to spread the virus.

Statinko has been found to impact Linux systems as well. If any computers powered by the open-source operating system is affected a binary is uploaded to them. This is a malicious file that can be changed according to the hacker campaign. The identified samples have been found to have the following features:

  • System Data Harvesting – This option allows the hackers to obtain detailed information about the infected computers. The collected information downloads both system configuration, hardware components and user settings. All information is transmitted to the hackers.
  • Additional Payload Download – The hackers can utilize this function to download and start additional malware to the infected computers.
  • SOCKS Proxy Server – The execution of a proxy server can be used to relay malicious commands via the botnet.
Related Story: Urgent Chrome Update “Virus” – How to Remove It

Protect Yourself from the Stantinko Malware

The majority of the infected users have fallen victim to the Stantinko malware by remaining unprotected. The security analysis reveals that the larger part of infected computers were due to browser hijackers and downloading of malicious files from the Internet. This is the reason why we recommend that all users scan their computers for any malware.


Malware Removal Tool

Spy Hunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter

Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.

More Posts

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

This website uses cookies to improve user experience. By using our website you consent to all cookies in accordance with our Privacy Policy.
I Agree