Security News > 2020 > November > Stantinko Proxy Trojan Masquerades as Apache Servers

Stantinko Proxy Trojan Masquerades as Apache Servers
2020-11-25 09:43

A threat group tracked as Stantinko was observed using a new version of a Linux proxy Trojan that poses as Apache servers to remain undetected.

Previously, the Stantinko group was mainly known for the targeting of Windows systems, but recent attacks show that they are also focusing on evolving their Linux malware, with a new proxy Trojan that masquerades as httpd, the Apache Hypertext Transfer Protocol Server found on many Linux servers.

The new version, which was identified nearly three years after the previous one, has a similar purpose but shows a series of changes, including the command and control IP address being stored in the configuration file dropped alongside the malware, the lack of self-update capabilities in the new version, and the fact that the new version is dynamically linked.

Several function names within the sample were found to be identical with the previous version, yet they are not called statically in the new version.

The C&C paths hint at previous campaigns by the same group, suggesting that the new Trojan is indeed linked to Stantinko.


News URL

http://feedproxy.google.com/~r/Securityweek/~3/Vte6lrpRNYo/stantinko-proxy-trojan-masquerades-apache-servers

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Apache 305 59 859 659 313 1890