Researchers have uncovered new obfuscation techniques they have described as “unique” in an active cryptocurrency mining botnet.
On Thursday, cybersecurity firm ESET said the discovery was made through an examination of the Stantinko botnet, which has been active since at least 2012.
At inception, Stantinko focused on adware delivery mainly in Russia and Ukraine. The malware was spread through pirate software as an infection vector, in which downloaders would execute these files only to also deploy a range of nuisanceware and spyware on PCs at the same time.
Revenue would be generated by the operators through malicious browser extensions bundled with the software that performed ad injections and click fraud, as well as install backdoors and perform brute-force attacks on CMS websites.
In 2019, Stantinko’s operators added a new cryptocurrency mining module to generate further illicit revenues and also expanded its victim pool to Russia, Ukraine, Belarus, and Kazakhstan.
The new Monero mining module is of interest, given the “protective techniques encountered during analysis are more advanced than the malware they protect,” says Vladislav Hrčka.
The ESET malware analyst added that some of the techniques have not yet been “publicly described.”
See also: UK’s HMRC tax authority seeks tools to track down cryptocurrency criminals
Two obfuscation techniques, the way strings are hidden and a method called control-flow obfuscation, stand out.
The first technique relies on strings, constructed in memory, that are only present in memory when they are used. According to ESET, all of the strings embedded in the cryptocurrency module are unrelated to the miner’s actual functionality, and “they either serve as building blocks for constructing the strings that are actually used or they are not used at all.”
“The strings used by the malware are generated in memory in order to avoid file-based detection and thwart analysis,” the researchers note.
Control-flow obfuscation changes the control flow to a form that is hard to read and the execution of orders of basic blocks is considered “unpredictable.”
A single function is split into blocks and these blocks are then placed as dispatches into a switch statement inside of a loop, with each dispatch consisting of one basic block. A control variable determines which block is meant to be executed.
“The basic blocks are all assigned an ID and the control variable always holds the ID of the basic block,” the researchers said. “All the basic blocks set the value of the control variable to the ID of its successor (a basic block can have multiple possible successors; in that case the immediate successor can be chosen in a condition).”
However, as code is flattened at the source code level, common tools to peel back this obfuscation would not work in the botnet’s case.
CNET: Elections amid coronavirus: How officials aim to keep voters safe
In addition, the module’s use of control-flow obfuscation includes two “head and tail” control blocks that control the function. The head decides on which dispatch needs to be executed, whereas the tail increases the control variable using a fixed constant and either goes back to the head or exits the loop.
The module also merges some basic blocks when dispatches are connected. This entire process constantly causes anomalies in the flattening loops, making analysis difficult.
In addition, the threat actors have also implemented chunks of junk code and dead strings, a way to prevent malware from being detected as malicious. “Do nothing” code, which is executed but has no real functionality, was also found.
TechRepublic: Coronavirus: What business pros need to know
“The criminals behind the Stantinko botnet are constantly improving and developing new modules that often contain non-standard and interesting techniques,” ESET says. As the botnet remains active, it is likely we will see new functionality or stealthy techniques in the future.
In related news, a new Trickbot campaign recently discovered by Bitdefender is also demonstrating never-before-seen behavior in the quest for intellectual property and financial information.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0