New Stantinko Bot masqueraded as httpd targeting Linux servers

Researchers spotted a new variant of an adware and coin-miner botnet operated by Stantinko threat actors that now targets servers.

Researchers from Intezer have spotted a new variant of an adware and coin-miner botnet that is operated by Stantinko threat actors since 2012.

The Stantinko botnet was first spotted by ESET in 2017, at the time it infected around half a million computers worldwide. Operators behind the botnet powered a massive adware campaign active since 2012, crooks mainly targeted users in Russia, Ukraine, Belarus, and Kazakhstan searching for pirated software.

According to a new analysis published by Intezer, the Linux trojan masqueraded as httpd, which is the Apache Hypertext Transfer Protocol Server commonly used on Linux servers. At the time of this analysis, the new version of the Trojan has a detection rate of one in VirusTotal. The sample, an unstripped 64-bit ELF binary, was uploaded on November 7, 2020 from Russia.

“We have identified a new version of this Linux trojan masqueraded as httpd. httpd is Apache Hypertext Transfer Protocol Server, a commonly used program on Linux servers. The sample’s version is 2.17, and the older version is 1.2*.” reads the analysis published by Intezer.

“We believe this is part of a broader campaign that takes advantage of compromised Linux servers.”

Upon execution, the Trojan will validate a configuration which is located at “/etc/pd.d/proxy.conf” and is delivered together with the

Then the creates a socket and a listener to accept connections from other infected systems.

“Once a client connects to the listener, the program calls the on_client_connect function. First, it checks if the request method is GET, POST or NOTIFY.” continues the analysis.

“If the request method is GET, the program will reply with a 301 redirect HTTP response containing the redirect_url parameter from the configuration file.”

If the request method is HTTP the proxy passes the request to an attacker-controlled server, which then responds with an appropriate payload that’s forwarded by the proxy to the client.

In case the compromised server will receive a HTTP Get request from a non-infected client, it replies with an HTTP 301 redirect to a preconfigured URL which is specified in the configuration file.

The new variant of the shares several function names with the old version, experts also noticed some hardcoded paths that are similar to the ones employed in previous Stantinko campaigns.