Operators behind the Stantinko botnet, which has been active since 2012, have released a new version of their Linux trojan masqueraded as httpd, the legitimate Apache web server process. The new variant was discovered by researchers at security firm Intezer Labs, and is believed to be a part of a broader campaign that takes advantage of compromised Linux servers.

The Stantinko botnet is known for targeting Windows operating systems, with campaigns primarily aimed at users in Russia and Ukraine. The Stantinko group’s malware mainly consists of coin-miners and adware botnets. The Stantinko botnet’s operation was detailed by ESET in 2017, at the time the botnet infected nearly half a million computers worldwide.

The researchers said that the new httpd Linux trojan was uploaded to VirusTotal on November 7, 2020 from Russia, at the time of the analysis the malware had only one detection in VirusTotal.

“Upon execution, the malware will validate a configuration file which is delivered together with the malware on the infected machine. The malware expects the configuration file to be located at “/etc/pd.d/proxy.conf”. If the configuration file does not exist, or if it lacks the required structure, the malware exits without conducting any additional malicious activity,” the report said.

The malware then creates a socket and a listener to accept connections from a client.

“Once a client connects to the listener, the program calls the on_client_connect function. First, it checks if the request method is GET, POST or NOTIFY.

If the request method is GET, the program will reply with a 301 redirect HTTP response containing the redirect_url parameter from the configuration file. This means that if the C&C IP is simply searched, using a browser for instance, the response could be misleading by redirecting to a benign website, leaving no trace of an extra payload that is used in the attack. If the request method is POST or NOTIFY, the malware will build a POST request to send to the C&C server based on the client’s HTTP request headers and content, using the create_post_data function. The program will then call the mysql_server_do_request function which is in charge of sending the POST request to the C&C,” Intezer explained.

The researchers noticed some differences between the new variant (v2.17) and old version (v1.2) of the malware. The new version is more simple and has fewer features than the previous release.

“Stantinko is the latest malware targeting Linux servers to fly under the radar, joining threats such as Doki, IPStorm and RansomEXX,” the report concludes.