Stantinko, one of the oldest malware botnets, has updated its Linux malware by upgrading its trojan to appear as the legitimate Apache web server (httpd) to make it harder to detect infected hosts.
The upgrades, identified by security company Intezer Labs, confirm that despite a period of inactivity - in terms of code changes - the Stantinko botnet continues to operate today.
The Stantinko botnet was first detected in 2012. The team behind this malware started operating by distributing the Trojan Stantinko as part of application packages or pirated applications. As the botnet grew and became more profitable, its code evolved. An important update was discovered in 2017 when the security company ESET found that Stantinko used some special versions of its malware for Linux systems.
The latest version of Stantinko Linux malware was detected in 2017, with version number 1.2. But in a report released today on ZDNet, Intezer Labs said it had recently discovered a new version of Stantinko Linux malware, version 2.17 - a huge leap from the previously known version.
However, despite the huge gap between the two versions, the Intezer team notes that the new version is actually simpler and contains fewer features than the older version. version, which is strange.
One reason behind this strange move is that the Stantinko gang could have removed all the pieces from the code and leave only the features that are necessary and used daily. This includes its capability proxy, which still exists in the latest version, and is critical to its functions brute-force attacks.
Another reason could be that the Stantinko gang was trying to reduce the malware fingerprint on antivirus. Fewer lines of code mean less malicious behavior to be detected.
Represents the Apache web server
In addition, Stantinko hackers seem to have changed the name of the process used by the Linux malware, choosing httpd, the name commonly used by the most popular Apache web server.
This was obviously done for server owners, wanting not to detect malware in a regular visual inspection, as the Apache web server is often included by default in many Linux distributions and this procedure usually runs on Linux systems that generally infects Stantinko.
However, Linux administrators need to be aware that as the Linux operating system continues to expand corporate environments, more and more malware gangs will start targeting Linux.