A huge botnet called Stantinko was discovered by security researchers from ESET, the botnet was undetected for at least 5 years succeeded to infect about half a million devices worldwide and enables operators to “execute anything on the victim machine.
The researchers discovered that the attack vector used by the cyber criminals is an app called FileTour, it is used to install a variety of programs on the victim’s machine, while also launching Stantinko in the background.
The massive botnet is used mainly to install browser extensions that in turn perform ad injections and click fraud, but malicious Windows services are used to execute a broad range of operations: backdoor activities, searches on Google, and brute-force attacks on Joomla and WordPress administrator panels.
The threat also installs two malicious Windows services after compromise, each with the ability to reinstall the other if deleted.
The malicious browser extensions installed by the Stantinko malware are called The Safe Surfing and Teddy Protection. Both extensions distributed through the Chrome Web Store are used to block unwanted URLs.
The botnet installs its versions of both browser extensions that are able to obtain a configuration to perform click fraud and advertisement injection.