Stantinko Botnet Now Targeting Linux Servers
by CIRT Team
Stantinko, one of the oldest malware botnets still operating today, has rolled out updates to its class of Linux malware, upgrading its trojan to pose as the legitimate Apache web server process (httpd) in order to make detection harder on infected hosts.
According to a new analysis published by Intezer,come to confirm that despite a period of inactivity in regards to code changes, the Stantinko botnet continues to operate even today.
Intezer identified a new version of this Linux trojan masqueraded as httpd. httpd is Apache Hypertext Transfer Protocol Server, a commonly used program on Linux servers. The sample’s version is 2.17, and the older version is 1.2.
This Linux version acted as a SOCKS5 proxy, with Stantinko turning infected Linux systems into nodes into a larger proxy network.
Each of these Linux systems would be used to launch brute-force attacks against content management systems (CMSs) and various web-based systems, such as databases. Once it compromised these systems, the Stantinko gang would elevate its access to the underlying server OS (Linux or Windows) and then deployed a copy of itself and a crypto-miner to generate even more profits for the malware authors.
Upon execution, the malware will validate a configuration file which is delivered together with the malware on the infected machine. The malware expects the configuration file to be located at “/etc/pd.d/proxy.conf”. If the configuration file does not exist, or if it lacks the required structure, the malware exits without conducting any additional malicious activity.
The POST request is sent to one of the following paths on the C&C server:
New version: 2.17
Old version: 1.2
Acknowledge and Reference:
26 Oct 2023 - Security Advisories & Alerts