An adware and coin-miner botnet targeting Russia, Ukraine, Belarus, and Kazakhstan at least since 2012 has now set its sights on Linux servers to fly under the radar.
According to a new analysis published by Intezer today and shared with The Hacker News, the trojan masquerades as HTTPd, a commonly used program on Linux servers, and is a new version of the malware belonging to a threat actor tracked as Stantinko.
Back in 2017, ESET researchers detailed a massive adware botnet that works by tricking users looking for pirated software into downloading malicious executables disguised as torrents to install rogue browser extensions that perform ad injection and click fraud.
The covert campaign, which controls a vast army of half a million bots, has since received a substantial upgrade in the form of a crypto-mining module with an aim to profit from computers under their control.
Although Stantinko has been traditionally a Windows malware, the expansion in their toolset to target Linux didn't go unnoticed, with ESET observing a Linux trojan proxy deployed via malicious binaries on compromised servers.
Intezer's latest research offers fresh insight into this Linux proxy, specifically a newer version (v2.17) of the same malware (v1.2) called "httpd," with one sample of the malware uploaded to VirusTotal on November 7 from Russia.
Upon execution, "httpd" validates a configuration file located in "etc/pd.d/proxy.conf" that's delivered along with the malware, following it up by creating a socket and a listener to accept connections from what the researchers believe are other infected systems.
An HTTP Post request from an infected client paves the way for the proxy to pass on the request to an attacker-controlled server, which then responds with an appropriate payload that's forwarded by the proxy back to the client.
Discover how Deception can detect advanced threats, stop lateral movement, and enhance your Zero Trust strategy. Join our insightful webinar!Save My Seat!
In the event a non-infected client sends an HTTP Get request to the compromised server, an HTTP 301 redirect to a preconfigured URL specified in the configuration file is sent back.
Stating that the new version of the malware only functions as a proxy, Intezer researchers said the new variant shares several function names with the old version and that some hardcoded paths bear similarities to previous Stantinko campaigns.
"Stantinko is the latest malware targeting Linux servers to fly under the radar, alongside threats such as Doki, IPStorm and RansomEXX," the firm said. "We think this malware is part of a broader campaign that takes advantage of compromised Linux servers."