Using a new version of a Linux proxy Trojan, a threat community monitored as Stantinko was observed posing as Apache servers to stay undetected.
Stantinko is thought to have been running since at least 2012, initially outlined in 2017, ensnaring compromised networks into a botnet primarily used in large adware schemes, but also for backdoor operations, brute-force attacks, and more.
The Stantinko group was historically primarily known for attacking Windows applications, but recent attacks have revealed that they are now working on evolving their Linux malware, with a new proxy Trojan masquerading as httpd, the Apache Hypertext Transmission Protocol Server that is used on several Linux servers.
“We believe that this malware is part of a broader campaign that uses compromised Linux servers,” say security researchers at Intezer.
Detected on VirusTotal by a single anti-virus engine, the sample is an unstripped 64-bit ELF binary that validates a configuration file upon execution. The malware prevents execution if this file is absent or lacks the expected structure.
The proxy daemonizes itself if the validation completes, in which it generates a socket and a listener that allows it to accept connections. This may be the way contaminated computers deal with each other, according to Intezer.
The new version, which was discovered almost three years after the previous one has a similar function, but reveals a variety of changes, including the command and control (C&C) IP address stored in the configuration file dropped next to the malware, the absence of the new version’s self-updating capability, and the dynamic connection of the new version.
Several feature names within the dataset have been shown to be similar to the previous version, but the current version does not call them statically. In addition, the C&C routes suggest the same group’s previous campaigns, indicating that the current Trojan is still related to Stantinko.