Operators of one of the oldest active botnets in existence today, Stantinko, have updated their Trojan for Linux to disguise itself as a legitimate Apache web server (httpd) process to bypass detection.
The Stantinko botnet was first discovered in 2012 and initially only attacked Windows users. The malware was distributed through hacked programs or bundled with other applications and was used to display unwanted advertisements or cryptocurrency miners on the infected system.
As the profit from malware began to grow, botnet operators began to modernize their code. For example, in 2017, a version of the Trojan appeared for Linux devices. Disguised as a SOCKS5 proxy, this version of the malware turned infected Linux devices into nodes in a larger proxy network. The infected systems were used to carry out brute force attacks on content management systems (CMS), databases and other web systems.
After the system is compromised, Stantinko operators escalate their privileges to access the OS (Linux or Windows) and installs a copy of the malware and a cryptominer.
The version of the Linux Trojan discovered in 2017 was 1.2. In a recent report, specialists from the information security company Intezer Labs described version 2.17. The new version of malware weighs less and contains much fewer features than the version three years ago, which is quite unusual, since malware tends to grow in size over the years.
The malware operators have removed everything secondary from their code, leaving only the most important functions, including the proxy function. Another reason for the Trojan’s size reduction is the desire of developers to minimize the number of digital prints they leave. The fewer lines in the code, the more difficult it is for antivirus solutions to detect them.
In the new version of the Trojan, the developers have changed the name of the process it disguises as. It is now the httpd process, a name commonly used by the better known Apache web server. The reason is the desire to hide malicious activity from the eyes of users, since the Apache web server is included by default in many Linux distributions.