Over 500,000 users have had their computers infected with a stealthy malware named Stantinko, according to a 99-page report released yesterday by Slovak antivirus maker ESET.

The malware is a modular trojan with advanced backdoor capabilities, but according to ESET, its authors have only used it hijack search results and sometimes carry out brute-force attacks on Joomla and WordPress sites.

Despite focus on adware, Stantinko is top-shelve malware

Even if mostly behaving like your run-of-the-mill adware, Stantinko features very advanced code for its end purpose. ESET researchers have classified it as a "modular backdoor," rather than adware.

This is because Stantinko uses a complex infection system, boot persistence mechanism, and a trove of plugins that allow its operators to "execute anything on the infected host."

The original entry point is via pirated or cracked software, often spread via torrents. Stantinko's operators use a clever trick during the installation of the pirated software to draw the user's attention to other unwanted apps, which it loudly installs under the user's view.

While the user's attention is distracted by these loudly installed apps, Stantinko sets up its malicious code at the same time. ESET has put together a video that shows this clever maneuver.


The code that Stantinko installs during this step is the malware's main module, along with two Windows services, the latter which provide boot persistence. If an antivirus detects one of the two auto-starting services, the other service can reinstall the other, helping Stantinko survive for a much longer time on infected hosts.

Stantinko was undetected for five years

As for antivirus detection, this is a tricky subject. According to ESET, the malware used several tricks that allowed it to pass undetected for years. Researchers say they identified signs of Stantinko versions and campaigns going back to as early as 2012. That's almost five years during which time the malware operated undetected.

Writing in their report, experts say this was possible because the malware's code was split in two, with the malicious commands hidden away from security researchers' view.

There are always two components involved: a loader and an encrypted component. The malicious code is concealed in the encrypted component that resides either on the disk or in the Windows Registry. This code is loaded and decrypted by a benign-looking executable. The key to decrypt this code is generated on a per-infection basis. Some components use the bot identifier and others use the volume serial number from its victim PC’s hard drive. Making reliable detections based on the non-encrypted components is a very difficult task, since artifacts residing on the disk do not expose malicious behavior until they’re executed.
Despite the advanced features, its operators were never interested in using their malware for anything else except adware.

Stantinko's main functionality was to install two Chrome extensions named "Teddy Protection" and "The Safe Surfing." Both posed as child protection and web surfing filters, but in reality, they hijacked the user's clicks whenever clicking on search results in the Rambler Russian search engine. A video of this behavior is embedded below.


Stantinko focused on Russian-speaking users only

No other search engines from other countries were targeted, and according to ESET, Stantinko appears to have been a local affair, with most of the 500,000 infected computers residing in Russia (46%), Ukraine (33%), Belarus (8%), Kazakhstan (8%), and other countries part of the old Soviet space.

ESET believes that Stantinko operators are only interested in monetary rewards, even if "the developers of Stantinko use methods that are most often seen in APT [cyber-espionage] campaigns."

Other Stantinko plugins observed by ESET on various campaigns, but to a lesser degree when compared to its adware capabilities, include the following:

Module Name - Analysis
Brute-force - Distributed dictionary-based attack on Joomla and WordPress administrative panels.

Search Parser - Performs massive distributed and anonymous searches on Google to find Joomla and WordPress websites. It uses compromised Joomla websites as C&C servers.

Remote Administrator - Backdoor that implements a full-range of actions from reconnaissance to data exfiltration.

Facebook Bot - Bot performing fraud on Facebook. Its capabilities include creating accounts, liking picture or pages, and adding friends.
Far more details, including IOCs, can be found in ESET's Stantinko - Teddy Bear Surfing Out of Sight report.