Scranos rootkit expands operations from China to the rest of the world

silversurfer · Apr 16, 2019

A malware operation previously limited to China's borders has expanded over the past few months to infect users from all over the world, antivirus firm Bitdefender said in a report published today.

Users who have the bad habit of downloading and installing cracked software applications are at the highest risk.

According to Bitdefender experts, these apps are laced with a relatively new malware strain named Scranos. The most important piece of this malware is a rootkit driver that's hidden inside the tainted apps and which allows the malware to gain boot persistence and take full control over users' systems in the early stages of an infection.

Although Bitdefender describes Scranos as "a work in progress, with many components in the early stage of development," the malware is still very dangerous as it is.

That's because Scranos is a modular threat that once it infects a host computer, it can ping its command and control (C&C) server for additional instructions, and then download small modules to execute a fine set of operations.

The malware may not have modules for all the features supported by more complex malware strains, but it has enough components to put users and their data at risk, while also being a huge annoyance due to its adware-like features.

At the time of writing, Bitdefender has documented the following modules/features in a 48-page report the company shared with ZDNet:

Extract cookies and steal login credentials from Google Chrome, Chromium, Mozilla Firefox, Opera, Microsoft Edge, Internet
Explorer, Baidu Browser and Yandex Browser.

Steal a user's payment accounts from his Facebook, Amazon and Airbnb webpages.

Send friend requests to other accounts, from the user's Facebook account.

Send phishing messages to the victim's Facebook friends containing malicious APKs used to infect Android users as well.

Steal login credentials for the user's account on Steam.

Inject JavaScript adware in Internet Explorer.

Install Chrome/Opera extensions to inject JavaScript adware on these browsers as well.

Exfiltrate browsing history.

Silently display ads or muted YouTube videos to users via Chrome. We found some droppers that can install Chrome if it is not already on the victim's computer.

Subcribe users to YouTube video channels.

Download and execute any payload.

Andy Ful · Apr 16, 2019

This one is a rare example of malware, that after installing a digitally signed rootkit driver, also bothered to disable Windows Defender real-time protection. I do not think that this is a clever move for a rootkit, because the user can see this on the system tray.

This rootkit can be identified on Windows Home when using Application Control like in the thread:
Discuss - Application Control on Windows 10 Home
The rootkit driver and other components are signed, but not by Windows, WHQL, ELAM, or Store certificate, so they will be visible in the log.

silversurfer · Jun 26, 2019

Bitdefender Labs

Daily source of cyber-threat information. Established 2001.

labs.bitdefender.com

Search

Scranos rootkit expands operations from China to the rest of the world

silversurfer

Super Moderator

Andy Ful

From Hard_Configurator Tools

silversurfer

Super Moderator

Bitdefender Labs

Similar threads