A pre-existing botnet has changed its behaviour by switching to cryptomining. To do this, it uses YouTube as part of its process. The change was discovered on Tuesday by ESET security researchers.
The Statinko botnet, which has been active since 2012, was previously used as part of a large-scale advertising campaign. The botnet probably originates from the former Eastern bloc, since it is mainly aimed at Russia, Ukraine, Belarus and Kazakhstan, reports Silicon Angle. The botnet, which is estimated to consist of a total of 500,000 computers, is said to have switched from adware and other similar activities to the distribution of a cryptomining module by August 2018.
Botnets, Trojans and other tactics that attempt to install cryptominers on systems are nothing new, but the Statinko botnet uses a unique way of trying to prevent being discovered. It uses YouTube, among other things, to evade detection.
Xmr-stak
The cryptomining module distributed by Statinko is probably a heavily modified version of xmr-stak. This is a popular open-source cryptominer, but Statinko uses a customised version with removed code dtrings and functions to avoid detection.
The modified script, called CoinMiner.Stantinko, uses YouTube to define proxies instead of communicating directly with a mining pool. The videos uploaded to YouTube contain certain code lines in their description, giving the script a way of mining Monero. Since the script has access to YouTube, existing security solutions would usually ignore the requests, as access to YouTube is a normal activity. Previously, other malware had already been discovered which was mining the same cryptocurrency.
ESET security researchers have contacted YouTube and the relevant videos and accounts have been deleted.