According to researchers at ESET in a 2017 white paper summarizing Stantinko’s operations, the researchers identified a Linux trojan proxy, which until now, was the only known Linux malware belonging to Stantinko.
Now, a new analysis published by Intezer, has identified a new version of this trojan that masquerades as httpd, which is an Apache Hypertext Transfer Protocol Server, commonly used on Linux servers.
Insight into Stantinko Botnet's Linux proxy
Stantinko is traditionally a Windows malware, but the expansion in its toolset to target Linux wasn't unnoticed, as ESET had observed in 2017 analysis of the Linux trojan proxy deployed via malicious binaries on compromised servers.
While Intezer's recent research also provides insight into the Linux proxy, which is specifically a newer version, v2.17 of the same malware with earlier version as v1.2, called "httpd" and a sample of the malware uploaded to VirusTotal validates a configuration file located in "etc/pd.d/proxy.conf" which is delivered with the malware.
The new version of the malware functions only as a proxy, though Intezer researchers also said the new variant shares similar function with the old version and that some of the hardcoded paths equally bears some similarities to previous Stantinko campaigns.
How the Stantinko Botnet targets Linux servers
Stantinko Botnet creates a socket and a listener to accept connections from infected Linux systems. And HTTP requests from infected client paves way for the proxy to pass on the request to an attacker-controlled server, which responds with appropriate payloads forwarded by the proxy to the client.
But if a non-infected client sends an HTTP request to a compromised server, it will get an HTTP 301 redirect to a preconfigured URL specified in the configuration file. As the latest malware targeting Linux servers, alongside other threats such as IPStorm, Doki, and RansomEXX, the Stantinko Botnet remains part of a broader malware campaign.