If you thought that the only way to get your computer infected with a crypto-jacking malware is to visit infected websites, then think again because now hackers are able to get to you through your favorite video-streaming website – YouTube.
That’s right, cybersecurity firm ESET has recently released a report that details how the notorious Stantinko botnet, initially discovered in 2017 but operating covertly since 2012 is now able to infect your machine with a crypto-jacking malware when you watch videos on YouTube.
The botnet is using YouTube to propagate itself while also installing a Monero-mining module. The report, released on Tuesday, states that as many as 500,000 machines have been infected through this method.
Stantinko developers have often used staple hacker methods to distribute malware including click fraud, ad injection, social network fraud, and password-stealing attacks but the latest discovery means that the hackers are now morphing their techniques of not just propagating their malware but also making money. The malware is downloaded together with the video while streaming but to avoid detection by security products, ESET says that the malware does not copy itself to the disk but instead to the main memory.
To further avoid detection, the malware is able to propagate itself with a touch of randomness and for every download, it exists as different source code with similar functionality.
“Due to the use of source-level obfuscations with a grain of randomness and the fact that Stantinko’s operators compile this module for each new victim, each sample of the module is unique,” ESET explained in its post.
According to the analysis, the crypto-mining malware is based on the Monero xmr-stak open-source crypto-miner. However, this miner uses the CryptoNight R mining algorithm which is not exclusive to Monero mining. This makes it easy for Stantinko’s operators to shift between mining different coins according to their profitability analysis by changing the hashing code of the malware.
“This change makes it possible, for example, to adapt to adjustments of algorithms in existing currencies and to switch to mining other cryptocurrencies in order, perhaps, to mine the most profitable cryptocurrency at the moment of execution,” ESET explained.
According to the report, ESET informed that it had contacted YouTube regarding the malware and YouTube has already taken down the affected video pages. However, this may be a temporary solution as the botnet keeps on changing and finding new ways to propagate itself.