This data-stealing malware has returned with new attacks and nasty upgraded features

[silversurfer]

Content source

https://www.zdnet.com/article/this-data-stealing-malware-has-returned-with-new-attacks-and-nasty-upgraded-features/

The group behind a malware campaign targeting both Windows and Android devices in an adware operation across both Europe and the US have altered its attack techniques and added new payloads including a cryptominer and a Trojan in an apparent bid to make more money from infected devices.

Details of the multi-functional Scranos malware first emerged in April but shortly afterwards, the operators lost their main mechanism of persistence and disguise when their illicit use of Authenticode certificates was revoked.

But that hasn't stopped the cyber criminal campaign, because in the space of just a few weeks, Scranos has already updated its attack methods in an attempt to rebuild their botnet.

The new techniques employed by Scranos have been detailed by cyber security researchers at Bitdefender – who were also responsible for uncovering the malware campaign earlier this year. It's believed that the campaign has originated from China – but its effects are felt around the globe.

"The rapid mobilization of its operators to contain the damage and maintain control of the already infected machines reveals that they were not ready to give up yet," Bogdan Botezatu, Director of Threat Research and Reporting at Bitdefender told ZDNet.
"They came with a novel approach at concealing their malware behind Microsoft executables and they also started spreading new payloads to keep funding going".

 

[upnorth]

By using legitimate Windows executables in the installation process, Scranos leaves few traces of its activity behind, even blending in with standard network traffic and therefore reduce the risk of being discovered before it has generated revenue for the attackers. The key goal of Scranos is to generate traffic to URLs as directed by the command and control servers. These URLs contain various adverts, videos and other revenue generating links which are run using a hidden instance of Google Chrome. Each URL is opened in a new tab with each driving revenue for the attackers. This is done behind the scenes, without the knowledge of the user.

But the campaign isn't just about ad fraud, with the operators behind Scranos adding several new payloads to the latest iteration of the malware – including the Yoddos trojan. Yoddos isn't a new trojan, having existed in the wild since 2012, but it provides a backdoor into infected machines in addition to being able to employ the systems to conduct DDoS attacks. Researchers believe that Yoddos is being deployed to deliver other kinds of malware – and that it forms part of another part of the moneymaking scheme, with the operators of Scranos renting out their network for other criminals to drop new payloads.

While Scranos has become prolific, it's also quite easy to avoid. With the main method of installation being via encouraging downloads, users could go a long way to avoiding the malware by being careful what they install – and by only downloading applications from trusted websites. "Pirated software is not only the root cause of Scranos, it has also become an important delivery mechanism for ransomware. If in doubt, do not install applications from third party websites – rather head to the vendor's page and get a copy of the software,"

 

[blackice]

Wise download advice everybody should follow.

 

[Andy Ful]

This malware is rootkit-enabled spyware. It is usually a part of cracked legitimate software or fake application (e-book readers, video players, antimalware products, driver software, etc.). It installs a digitally signed driver. Here are some of its important features:

• Extract cookies and steal login credentials from Google Chrome, Chromium, Mozilla Firefox, Opera, Microsoft Edge, Internet Explorer, Baidu Browser and Yandex Browser.
• Steal a user’s payment accounts from his Facebook, Amazon and Airbnb webpages.
• Send friend requests to other accounts, from the user’s Facebook account.
• Send phishing messages to the victim’s Facebook friends containing malicious APKs used to infect Android users as well.
• Steal login credentials for the user’s account on Steam. • Inject JavaScript adware in Internet Explorer.
• Install Chrome/Opera extensions to inject JavaScript adware on these browsers as well.
• Exfiltrate browsing history.
• Silently display ads or muted YouTube videos to users via Chrome. We found some droppers that can install Chrome if it is not already on the victim’s computer.
• Subscribe users to YouTube video channels.
• Download and execute any payload.

Some samples can silently install Chrome and start it in debugging mode. Next, the malicious DLL is injected to Chrome to hide the Chrome window (not visible on the Desktop and Taskbar). The malware can install several malicious extensions in Chrome.
For example, YouTube subscriber payload can inject adware scripts in web pages. This payload debugs Chrome (DevTools Protocol) and takes some actions (without user knowledge) on the YouTube web page, like: subscribe, click ads, starts the video.
Similar injection techniques are used for other payloads.

For the Chrome user, this infection chain is not visible. So, many users can probably think that they were infected while browsing, especially when AV alerts about script injections in webpages or blocked DLLs when starting Chrome. Some of them may identify the persistence of system infection and think that something escaped from the Chrome Sandbox. In fact, the opposite is true - Chrome was attacked by the malware already running in the system.

 

[shmu26]

"A legitimate Microsoft executable is placed in the same folder as a malicious DLL to ensure the malware is persistent and remains active after a system reboot. "

This data-stealing malware has returned with new attacks and nasty upgraded features

Large parts of the Scranos operation were taken out in April - but it's already back and the criminals behind it seem more determined than ever, adding a trojan and a cryptojacker to their adware scheme.

www.zdnet.com

I assume this "legitimate Microsoft executable" is dropped in User space, and therefore would be blocked by SRP at recommended settings? If so, this would be an advantage to SRP, which doesn't care how "legitimate" a file may be, over default-deny solutions that recognize and allow cataloged Windows binaries.

 

[Andy Ful]

This malware will be easily prevented in enterprises by SRP on SUA. The delivery method is via fake or cracked software, and has to be installed by the user. SRP default-deny setup will prevent installation, except when the user is an administrator.

The casual home users will be protected by the combination of SRP and forced SmartScreen (cracked software can be delivered on the friend's pen drive). Even if the malware is digitally signed, then it will be blocked by SmartScreen because of very low prevalence/reputation. Only the EV signed malware (without checking the reputation) can bypass SmartScreen.

The users who believe that the fake/cracked installer is safe (and have the permissions to bypass SRP and SmartScreen) will probably ignore SmartScreen and make the computer infected anyway.

This (and many other) malware uses legitimate Microsoft executables only to avoid suspicious entries in the Windows Event Log. SRP can be effective to prevent rootkits, but it is not effective to fight already installed rootkits. The Rootkit service can use several persistence methods to keep the infection alive.