500,000 Windows Users Infected By Stantinko Modular Malware

Over 500,000 users have had their computers infected with a stealthy malware named Stantinko, according to a 99-page report released by Slovak antivirus maker ESET.

The malware is a modular trojan with advanced backdoor capabilities, but according to ESET, its authors have only used it hijack search results and sometimes carry out brute-force attacks on Joomla and WordPress sites.

The researchers have traced Stantinko malware since 2002. Since then, the malware creators have tracked its activity and increased sophistication. The malware is still active with the new version of the main services which was released earlier this year.

Some of the key points that you must know about Stantinko malware are:

  • The chief targets of Stantinko malware are Russia and Ukraine, with 46% and 33%, respectively.
  • The botnet is primarily an adware that installs browser extensions for injecting ads during web browsing.
  • Components of the malware are hidden inside legitimate software.
  • It installs multiple persistent services to resist the cleaning attempts.

                                                                        Fig. Malicious Extension


The current version of the malware is distributed via torrent. The initial infection file, FileTour, is a downloader that installs multiple malicious applications. Stantinko’s persistent services also install malicious extensions, which seem legitimate, for performing advertising fraud. The two installed extensions are The Safe Surfing and Teddy Protection, whose combined installations are around 500,000.

Stantinko was undetected for five years

As for antivirus detection, this is a tricky subject. According to ESET, the malware used several tricks that allowed it to pass undetected for years. Researchers say they identified signs of Stantinko versions and campaigns going back to as early as 2012. That’s almost five years during which time the malware operated undetected.

Writing in their report, experts say this was possible because the malware’s code was split in two, with the malicious commands hidden away from security researchers’ view.

There are always two components involved: a loader and an encrypted component. The malicious code is concealed in the encrypted component that resides either on the disk or in the Windows Registry. This code is loaded and decrypted by a benign-looking executable. The key to decrypt this code is generated on a per-infection basis. Some components use the bot identifier and others use the volume serial number from its victim PC’s hard drive. Making reliable detections based on the non-encrypted components is a very difficult task, since artifacts residing on the disk do not expose malicious behavior until they’re executed.

Despite the advanced features, its operators were never interested in using their malware for anything else except adware.

Stantinko’s main functionality was to install two Chrome extensions named “Teddy Protection” and “The Safe Surfing.” Both posed as child protection and web surfing filters, but in reality, they hijacked the user’s clicks whenever clicking on search results in the Rambler Russian search engine. A video of this behavior is embedded below.


ESET believes that Stantinko operators are only interested in monetary rewards, even if “the developers of Stantinko use methods that are most often seen in APT [cyber-espionage] campaigns.”


Credit: ESET, Bleepingcomputer, Fossbytes

Jai Prajapati

Jai Prajapati is a security analyst and author for Securityleaks, where he passion for covering latest happening in cybersecurity world such as malware, breaches, vulnerabilities, exploits, white-papers, hacking newsbytes, Dark Web, hacking tutorials and a few more.

Leave a Reply

Your email address will not be published. Required fields are marked *