Rewterz Threat Alert – New Version of Stantinko Group Linux Proxy Trojan Masquerades as httpd

Severity

Medium

Analysis Summary

A new version of Linux proxy trojan related to the Stantinko group is found. It’s a group known for targeting Windows operating systems. This version of the Linux proxy trojan is masqueraded as httpd. httpd is Apache Hypertext Transfer Protocol Server, a commonly used program on Linux servers. The sample’s version is 2.17, and the older version is 1.2*. The group’s malware mainly consists of coin-miners and adware botnets. This malware seems to be a part of a broader campaign that takes advantage of compromised Linux servers. The sample is an unstripped 64-bit ELF binary. Upon execution, the malware will validate a configuration file which is delivered together with the malware on the infected machine. The malware expects the configuration file to be located at “/etc/pd.d/proxy.conf”. If the configuration file does not exist, or if it lacks the required structure, the malware exits without conducting any additional malicious activity.

This Linux version acted as a SOCKS5 proxy, with Stantinko turning infected Linux systems into nodes into a larger proxy network. Each of these Linux systems would be used to launch brute-force attacks against content management systems (CMSs) and various web-based systems, such as databases. Once it compromised these systems, the Stantinko gang would elevate its access to the underlying server OS (Linux or Windows) and then deployed a copy of itself and a crypto-miner to generate even more profits for the malware authors.

Impact

• Detection Evasion
• System Compromise
• Privilege Escalation
• Unauthorized Code Execution
• Unauthorized Resource Consumption

Indicators of Compromise

MD5

• 7d2a840048f32e487f8a61d7fc1a0c39
• d6c385303306e2f66705ec675c48ab4d
• 9aa864bd5530c6834c5ff368aff46eaa
• 22ebfdf8ee203efe3e5f2126788bd6ee
• 728a60d9a07c15371496a82dcb3ecd56

SHA-256

• 1de81bf6ee490b6bebe9f27d5386a48700e8431f902f4f17d64ddc5d8509ca7a
• 889aa5a740a3c7441cdf7759d4b1c41c98fd048f4cf7e18fcdda49ea3911d5e5
• 43a6894d5953b37f92940d5c783c9977690f358b5e25bba8c096fa54657bb2e5
• 968b41b6ca0e12ea86e51e0d9414860d13599cd127ad860e1c52c2678f4f2cb9
• a305d488733d50ea92a2794cb6e0aa9d1d176e2c8906305ea48ff503fc2eb276

SHA1

• 3d1d360fc8977e4a1d88073030043681afd55d28
• 0ada56cb148d37ae0144f0fb483720b974211bce
• 2e46b5db7b864efb95002702f46f3a810b6c9911
• 12dcc053841f9b4f4a96b2da92dc9ffcafdd4fda
• c55918adc6d2e74809777b306e361ea01a35fc05

Remediation

• Block the threat indicators at their respective controls.