A recent report published by ESET, a cybersecurity company, has revealed the modus operandi of the Stantinko botnet, which has been distributing a Monero (XMR) cryptocurrency mining module through YouTube without the users’ knowledge or consent (cryptojacking).
According to the report, the hackers have been installing malware content on YouTube channels to highjack the computers’ CPU of the victims who are innocently watching videos YouTube. The malware automatically consumes the computational power illegally to mine the digital currency Monero.
The Stantinko botnet has been operational since 2012 and targets victims from Russia, Ukraine, Belarus and Kazakhstan. The moneymaking malware has remained undetected for most of the time because it functioned on YouTube, which is considered as one of the most secure services of the tech giant Google.
The report discusses the research methodology that ESET had employed to catch the network of malware which was being hosted on various YouTube channels. The researchers were able to identify that the malware, installed by opening various links on YouTube, was communicating to its parental node not by regular IP addresses but through unregulated proxy-enabled IP addresses which made catching them even harder. The exact parameters required for this communication were coming from the video description of those videos.
Hiding such information in video descriptions is a popular method that is employed by many malware schemes. These include the Casbaneiro malware, which relies on more mainstream popular channels to embed the malware.
Stantinko had continued to impact users by using sophisticated detection-prevention techniques such as lowering the workload of the malware’s crypto mining functionalities whenever the portable device (laptop) was not being charged. The minimal workload did not drain the battery any faster than normal usage so the users would not get suspicious about anything.
Another technique that the malware had used was code obfuscation which compromised malware detection, the system’s ability to flag the malware.
According to the report, YouTube was apprised about the findings and conclusions of the research. The video streaming service acted by taking down all the relevant channels that had been hosting the malware.
However, it is evident to the cybersecurity experts by now that hackers will continue to employ sophisticated methods to avoid detection. Each measure on security enhancement is met with a more aggressive counter-measure from the hackers.The cat and mouse game can continue for years but in the end the most affected ones are the victims who do not even realize how cryptojacking continues to affect their user experience.
This is not the first case of Monero cryptojacking. Several months ago, the French police busted a Monero cryptojacking operation, and in June a cybersecurity report detailed how another Monero malware had exploited Oracle servers. Recently, Monero’s own website was breached and programmed to steal the users’ cryptocurrency