ESET has identified and is investigating a complex threat, which comes from a new malware strain and has so far affected half a million users.
The modus operandi of the malware, called Stantinko, is detailed in a recent ESET white paper. It states that the malware tricks victims into downloading pirated software from bogus torrent sites, while it has managed for five years to constantly transform itself, making it difficult to detect. 
Targeting mainly Russian-speaking users, Stantinko is a bot network that earns revenue by installing browser extensions that display fake ads while browsing the internet. Once installed on a machine, it can anonymously perform mass Google searches and create fake Facebook accounts, which have the ability to add friends and "like" images and pages.
A "Modular Backdoor"
Stantinko uses powerful techniques to evade detection and can hide in simple code that appears legitimate. Using advanced methods, the malicious code can be hidden or encrypted in a file either in the registry of Windows. It is then decrypted using a key generated during the initial breach. Its malicious behavior cannot be detected until it receives new data from the Command-and-Control server, which makes it difficult to detect.
On infected machines, two Windows services with malicious content are installed and automatically started at system startup. "If you get infected, it is difficult to get rid of it, since each of the services has the ability to reinstall the other in case it is deleted from the system. To completely eliminate the problem, the user must delete both services from their machine at the same time", explains Frédéric Vachon, Malware Researcher at ESET.
Once inside a device, Stantinko installs two browser plug-ins, both available in the Google Chrome Web Store - "The Safe Surfing" and "Teddy Protection". "Both plugins were still available online at the time of our analysis," claims Marc-Etienne Léveillé, Senior Malware Researcher at ESET."At first glance they look like legitimate browser extensions and even have a website. However, when installed by Stantinko, the extensions get new settings, which include rules for causing fraud with illegal clicks and ads".
Once Stantinko infiltrates a computer, its operators can use flexible plugins to do whatever they want with the compromised system, such as anonymously performing mass searches to find Joomla and WordPress sites, attacking them, finding and stealing data, and creating fake Facebook accounts.
How the hackers behind Stantinko make money
Stantinko shows great potential for profit, as click fraud attacks are a major source of revenue for hackers. According to research by White Ops and the Association of Advertisers in the US it is estimated that click fraud attacks this year alone have cost businesses an estimated 6.5 billion US dollars.
Data from websites compromised by Stantinko can also be sold on the black market, since the malware can guess passwords by trying thousands of different combinations. Although ESET researchers were unable to track malicious activity on social networks, Stantinko's creators have a tool that allows them to run scams on Facebook, selling illegal "likes" to attract the attention of unsuspecting consumers.
The Safe Surfing and Teddy Protection plugins can display ads or redirect the user. "They allow Stantinko's creators to get paid for the traffic of these ads. We even found that users were accessing the advertiser's website directly through ads belonging to Stantinko," concludes Matthieu Faou, Malware Researcher at ESET.
For more information about the Stantinko visit the page welivesecurity.com.
