hacker-bitcoin-cryptocurrency-money-finances-laptop-illegal-getty_large
Cryptocurrency Getty

Stantinko is not just a malware that a normal anti-virus scan can detect and eliminate. It's also so absurdly complex that internet security company Eset has been closely monitoring the botnet since 2017, though it remained undetected five years prior.

From that point on, the malware has undergone tremendous changes, allowing it to bypass detection. More recently, as Eset found out, it's targeting crypto and cloaks its nefarious behavior under Youtube.

Eset published a new report on Tuesday that Stantinko found a new way to make money by adding crypto mining to their list of criminal activities. But the malware has a particular liking for only one cryptocurrency, Monero (XMR), which has been its main moneymaker since August last year.

Another unique way that the malware remained undetected until recently is because it has been leveraging the popular video-sharing platform, YouTube.

Stantinko uses YouTube channels to plant the module, which corrupts its victims' devices and mines for any XMR. Overall, it's estimated that the botnet infected half a million devices, and the victims are primarily from Russia, Ukraine, Belarus, and Kazakhstan.

"CoinMiner.Stantinko doesn't communicate with its mining pool directly, but via proxies whose IP addresses are acquired from the description text of YouTube videos," researchers at Eset said.

"A similar technique to hide data in descriptions of YouTube videos is used by the banking malware Casbaneiro. Casbaneiro uses much more legitimate-looking channels and descriptions, but for much the same purpose: storing encrypted C&Cs."

Before involving YouTube, Stantinko used different methods for getting their malicious files into a victim's computers. The malware hid in torrents, and it monetized its criminal activity by installing browser extensions (The Safe Surfing and Teddy Protection) that performed "click fraud, ad injection, social network fraud, and password-stealing attacks."

YouTube has already taken down the channels associated with the malware after being informed by Eset.

Stantinko is somewhat similar to the malware revealed by the Microsoft Defender ATP Research Team on the same day. The "Dexphot" exhibits an analogous complex coding from that of Stantinko that allowed it to remain undetected. Dexphot has infected approximately 80,000 devices in June this year that Microsoft has been able to cut down to 10,000 by July.