International antivirus company ESET reported that hundreds of thousands of users in Russia, Belarus, Ukraine and Kazakhstan became victims of the Miner Virus. Specialists could not find a special module for cryptocurrency mining for years.
According to the company ESET, the mining module is distributed by the Stantinko botnet. This is a complex threat, active at least since 2012. The botnet has self-defense mechanisms that allow operators to remain undetected.
Stantinko is most often distributed through torrents and can disguise itself as pirated software. Previously, it was used for advertising fraud schemes: security experts said that over the past five years, the botnet infected more than 500 thousand computers in Russia (46%) and Ukraine (33%).
According to ESET, the crypto mining module is CoinMiner. Stantinko is carefully compiled for the new victim, so it is difficult to detect on the device. It is also able to contact with the mining pool through a proxy, the IP addresses of which are in the description of the videos on YouTube.
It is almost impossible to detect the module on a computer without special security checks. CoinMiner.Stantinko constantly scans the processes running on the PC and shuts down when anti-virus activity is registered.
In the process of mining, a significant part of computer resources is spent. In order not to cause suspicion, the module analyzes the activity and pauses its work, for example, if the device is running on battery power.
The main goal of Stantinko is financial gain. Operators provide false clicks on advertising links: the virus installs two browser extensions (the Safe Surfing and Teddy Protection) for the unauthorized display of advertising, which brings income to operators.
Analysts note that Stantinko allows operators to not only simulate click-throughs on advertising but also to steal data from a computer, to hack control panels using password-guessing attacks for reselling, to create fake accounts, likes on pages and a photo, to fill up the list of friends on Facebook.
To read the original article: