Researchers Uncover Lucrative ‘Stantinko’ Adware Campaign

Security researchers have discovered a large-scale adware campaign that has been operating since 2012 and affected nearly half a million users.

According to researchers at ESET Security, the sophisticated Stantinko campaign primarily targets Russia and Ukraine and has utilised a combination of code encryption and rapid adaptation techniques to stay out of sight of anti-malware tools.

Once installed, Stantinko generates revenue for its operators in several different ways, including through ad injection and click fraud.

Adware threat

“To infect a system, they trick users looking for pirated software into downloading executable files sometimes disguised as torrents,” explain Frederic Vachon and Matthieu Faou on the Eset blog. “FileTour, Stantinko’s initial installation vector, then loudly installs a lot of software to distract the user while it covertly installs Stantinko’s first service in the background.”

Once installed, it avoids detection by concealing the malicious code inside an encrypted component that resides either on the disk or in the Windows registry. This makes it hard for anti-malware tools to detect the infection as malicious behaviours remain hidden.

Stantinko is also highly resilient, as is installs two malicious Windows services that each have the ability to reinstall the other, meaning both services need to be deleted at the same time in order to fully remove it from the system.

Its main role is to install malicious browser extensions called The Safe Surfing and Teddy Protection, as the researchers explain: “Both extensions were available on the Chrome Web Store during our analysis. At first sight, they look like legitimate browser extensions that block unwanted URLs.

“However, when installed by Stantinko, the extensions receive a different configuration containing rules to perform click fraud and ad injection.” This generates revenue for the operators as they are paid for the traffic they provide to advertisers.

But it doesn’t stop there: “The malicious Windows services they install enable them to execute anything on the infected host.

“We’ve seen them being used to send a fully featured backdoor, a bot performing massive searches on Google, and a tool performing brute-force attacks on Joomla and WordPress administrator panels in an attempt to compromise and potentially resell them.”

Although not noticeable to the user, Stantinko is certainly a major threat, providing a large source of income for its creators and putting user’s privacy at risk.

Quiz. Are you a security guru?

Sam Pudwell

Sam Pudwell joined Silicon UK as a reporter in December 2016. As well as being the resident Cloud aficionado, he covers areas such as cyber security, government IT and sports technology, with the aim of going to as many events as possible.

Recent Posts

Hate Speech Watchdog CCDH To Quit Musk’s X

Target for Elon Musk's lawsuit, hate speech watchdog CCDH, announces its decision to quit X…

11 hours ago

Meta Fined €798m Over Alleged Facebook Marketplace Violations

Antitrust penalty. European Commission fines Meta a hefty €798m ($843m) for tying Facebook Marketplace to…

13 hours ago

Elon Musk Rebuked By Italian President Over Migration Tweets

Elon Musk continues to provoke the ire of various leaders around the world with his…

14 hours ago

VW, Rivian Launch Joint Venture, As Investment Rises To $5.8 Billion

Volkswagen and Rivian officially launch their joint venture, as German car giant ups investment to…

15 hours ago

AMD Axes 4 Percent Of Staff, Amid AI Chip Focus

Merry Christmas staff. AMD hands marching orders to 1,000 employees in the led up to…

18 hours ago

Tesla Recalls 2,431 Cybertrucks Over Propulsion Issue

Recall number six in 2024 for Tesla Cybertruck, and this time the fault cannot be…

19 hours ago