Thursday, January 21, 13:51
Home security The new version of Stantinko malware appears as an Apache web server

The new version of Stantinko malware appears as an Apache web server

Stantinko, one of the oldest malware botnets, has updated its Linux malware by upgrading its trojan to appear as the legitimate Apache web server (httpd) to make it harder to detect infected hosts.

The upgrades, identified by security company Intezer Labs, confirm that despite a period of inactivity - in terms of code changes - the Stantinko botnet continues to operate today.

The Stantinko botnet was first detected in 2012. The team behind this malware started operating by distributing the Trojan Stantinko as part of application packages or pirated applications. As the botnet grew and became more profitable, its code evolved. An important update was discovered in 2017 when the security company ESET found that Stantinko used some special versions of its malware for Linux systems.

Stantinko Apache malware

The latest version of Stantinko Linux malware was detected in 2017, with version number 1.2. But in a report released today on ZDNet, Intezer Labs said it had recently discovered a new version of Stantinko Linux malware, version 2.17 - a huge leap from the previously known version.

However, despite the huge gap between the two versions, the Intezer team notes that the new version is actually simpler and contains fewer features than the older version. version, which is strange.

One reason behind this strange move is that the Stantinko gang could have removed all the pieces from the code and leave only the features that are necessary and used daily. This includes its capability proxy, which still exists in the latest version, and is critical to its functions brute-force attacks.

Another reason could be that the Stantinko gang was trying to reduce the malware fingerprint on antivirus. Fewer lines of code mean less malicious behavior to be detected.

And Intezer notes that VirusTotal gave a very low detection rate in the latest version of Stantinko, saying it was almost undetectable.

Represents the Apache web server

In addition, Stantinko hackers seem to have changed the name of the process used by the Linux malware, choosing httpd, the name commonly used by the most popular Apache web server.

This was obviously done for server owners, wanting not to detect malware in a regular visual inspection, as the Apache web server is often included by default in many Linux distributions and this procedure usually runs on Linux systems that generally infects Stantinko.

However, Linux administrators need to be aware that as the Linux operating system continues to expand corporate environments, more and more malware gangs will start targeting Linux.


Please enter your comment!
Please enter your name here

Teo Ehc
Teo Ehc
Be the limited edition.


Tesla reduces the prices of the Model 3 in Europe

Tesla has reduced the prices of the Model 3 in many European markets, which reductions could be partly linked ...

iOS, Android, XBox users in the crosshairs of a new malvertising campaign

Recently a new malvertising campaign was discovered that targets users of mobile and other connected devices and uses effective ...

Microsoft: "Zero trust" protects against sophisticated hacking attacks

According to Microsoft, the techniques used by the hackers of SolarWinds, were sophisticated but common and preventable. To avoid future attacks ...

US: Twitter locks Chinese embassy account due to "dehumanization"

Twitter said it locked the account of the Chinese embassy in the United States for a tweet about its women ...

Ransomware victims pay a ransom to prevent their data from being leaked

Keeping backups is very important, especially in cases of Ransomware attacks. However, it seems that the hackers are using new methods, with ...

QAnon fans: Disappointed on social media after Biden was sworn in

Some QAnon supporters have expressed frustration at online forums and chat rooms over Joe Biden's swearing-in. Most...

COVID-19: Amazon wants to help Biden distribute the vaccines

Amazon has offered to help President Biden distribute COVID-19 vaccines. The letter from Dave Clark, vice president ...

Nitro PDF: Leaked database with 77 million user files!

Hacker leaked on January 20 a stolen database containing email addresses, names and passwords for over ...

Hackers provide free online 2 million Pixlr user files!

Hackers have leaked 2 million Pixlr user files containing information that could then be used to execute ...

Donald Trump: Thanks to Lil Wayne, not to Julian Assange!

Outgoing US President Donald Trump will award today thanks to rapper Lil Wayne in a final wave of pardon that ...