Stantinko's Linux malware now poses as an Apache web server

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,057
Stantinko, one of the oldest malware botnets still operating today, has rolled out updates to its class of Linux malware, upgrading its trojan to pose as the legitimate Apache web server process (httpd) in order to make detection harder on infected hosts.
The upgrades, spotted by security firm Intezer Labs, come to confirm that despite a period of inactivity in regards to code changes, the Stantinko botnet continues to operate even today.
The last version of Stantinko's Linux malware was spotted back in 2017, having a version number of 1.2. But in a report released today and shared with ZDNet, Intezer Labs said that after three years, they have recently discovered a new version of Stantinko's Linux malware, having a version number of 2.17 — a huge jump from the previous known release.
However, despite the huge version gap between the two releases, the Intezer team notes that the new version is actually leaner and contains fewer features than the older release, which is odd, as malware tends to bulk up as years go by.
One reason behind this odd move is that the Stantinko gang might have removed all the chaff from its code and left only the features they need and use on a daily basis. This includes the proxy feature, still present in the newer release, and crucial for its brute-forcing operations.
Another reason might also be that the Stantinko gang was attempting to reduce the malware's fingerprint against antivirus solutions. Fewer lines of code mean less malicious behavior to detect.
And Intezer notes that Stantinko almost pulled it off, as the newer version had a very low detection rate on the VirusTotal aggregated virus scanner, almost going by undetected.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top