Statinko group is known for its malware mostly targeting Windows operating systems dating back to 2012. Intezer, announced that they have found a new version of Statinko’s Linux proxy trojan. The malware currently has just one detection in VirusTotal. The group’s malware mainly consists of coin-miners and adware botnets.
Trojan masqueraded as httpd
According to Intezer’s report, the Linux trojan masqueraded as httpd, Apache Hypertext Transfer Protocol Server which is commonly used on Linux servers. Intezer also stated that they believe that the malware is a part of a broader campaign to take advantage of compromised Linux servers.
When executed, the malware validates a configuration file which is delivered together with the malware. It expects that the configuration file to be located at “/etc/pd.d/proxy.conf” and if it doesn’t exist or lacking the required structure, the malware exists without conducting any additional malicious activity. Intezer team also stated,
“After uploading the file to Intezer Analyze we noticed that the new variant shares several function names with the old one. These functions, such as get_binary_full_path and read_variable_string, are not called statically in the new version. We are almost certain these functions are leftover from the previous variant.
Stantinko is the latest malware targeting Linux servers to fly under the radar. The code from the new Stantinko sample is now indexed in Intezer’s Genome Database.”
See more Cyber Security News