Scranos rootkit expands operations from China to the rest of the world

silversurfer

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,165
Content source
https://www.zdnet.com/article/scranos-rootkit-expands-operations-from-china-to-the-rest-of-the-world/
A malware operation previously limited to China's borders has expanded over the past few months to infect users from all over the world, antivirus firm Bitdefender said in a report published today.

Users who have the bad habit of downloading and installing cracked software applications are at the highest risk.

According to Bitdefender experts, these apps are laced with a relatively new malware strain named Scranos. The most important piece of this malware is a rootkit driver that's hidden inside the tainted apps and which allows the malware to gain boot persistence and take full control over users' systems in the early stages of an infection.

Although Bitdefender describes Scranos as "a work in progress, with many components in the early stage of development," the malware is still very dangerous as it is.

That's because Scranos is a modular threat that once it infects a host computer, it can ping its command and control (C&C) server for additional instructions, and then download small modules to execute a fine set of operations.

The malware may not have modules for all the features supported by more complex malware strains, but it has enough components to put users and their data at risk, while also being a huge annoyance due to its adware-like features.

At the time of writing, Bitdefender has documented the following modules/features in a 48-page report the company shared with ZDNet:
  • Extract cookies and steal login credentials from Google Chrome, Chromium, Mozilla Firefox, Opera, Microsoft Edge, Internet
    Explorer, Baidu Browser and Yandex Browser.
  • Steal a user's payment accounts from his Facebook, Amazon and Airbnb webpages.
  • Send friend requests to other accounts, from the user's Facebook account.
  • Send phishing messages to the victim's Facebook friends containing malicious APKs used to infect Android users as well.
  • Steal login credentials for the user's account on Steam.
  • Inject JavaScript adware in Internet Explorer.
  • Install Chrome/Opera extensions to inject JavaScript adware on these browsers as well.
  • Exfiltrate browsing history.
  • Silently display ads or muted YouTube videos to users via Chrome. We found some droppers that can install Chrome if it is not already on the victim's computer.
  • Subcribe users to YouTube video channels.
  • Download and execute any payload.
Click to expand...
 
  • Like
  • +Reputation
Reactions: given, Fel Grossi, Solarquest and 4 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,127
This one is a rare example of malware, that after installing a digitally signed rootkit driver, also bothered to disable Windows Defender real-time protection. I do not think that this is a clever move for a rootkit, because the user can see this on the system tray.:unsure:
This rootkit can be identified on Windows Home when using Application Control like in the thread:
Discuss - Application Control on Windows 10 Home
The rootkit driver and other components are signed, but not by Windows, WHQL, ELAM, or Store certificate, so they will be visible in the log.
 
Last edited:
  • Like
Reactions: given, Fel Grossi, silversurfer and 3 others
You must log in or register to reply here.

Similar threads

Gandalf_The_Grey
    • Like
    • +Reputation
Chaes malware now uses Google Chrome DevTools Protocol to steal data
Replies
0
Views
971
News Archive
Gandalf_The_Grey
Gandalf_The_Grey
MuzzMelbourne
    • Like
Over 60K Adware Apps Posing as Cracked Versions of Popular Apps Target Android Devices
Replies
0
Views
1,264
News Archive
MuzzMelbourne
MuzzMelbourne
Gandalf_The_Grey
    • Like
    • +Reputation
Security News The law enforcement operations targeting cybercrime in 2023
Replies
0
Views
1,199
Security News
Gandalf_The_Grey
Gandalf_The_Grey

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top