Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

4/16/2019
03:10 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Meet Scranos: New Rootkit-Based Malware Gains Confidence

The cross-platform operation, first tested on victims in China, has begun to spread around the world.

A new rootkit-based malware family known as "Scranos" is being used in global cyberattacks as its authors grow their potential target base while adding new components and fixing bugs.

The cross-platform threat was first detected by Bitdefender researchers in mid-December; the team has been tracking it ever since. Its rootkit component was what made Scranos stand out, says Bogdan "Bob" Botezatu, Bitdefender's head of threat research and reporting. Rootkit-based malware is rare, he says, and accounts for less than 1% of the malware they see daily. Researchers watch for rootkits because they're usually linked to high-profile attacks, he adds.

Scranos is a password- and data-stealing operation based around a rootkit driver, which has been digitally signed with a certificate believed to be stolen. When it was first detected, Scranos was localized to the Asian market; specifically, China. Botezatu hypothesizes China's technology restrictions and security practices made for an appealing test ground to cyberattackers. 

"My guess – and it's still a guess – is that the cybercriminals started up and ran a test on the Chinese market … it's much easier to infect people in China or India, than in the rest of the world," he says. Piracy in these regions is still high and people are more likely to download apps from third-party stores. There, Scranos often lies disguised as cracked software or apps posing as legitimate software including ebook readers, video players, and anti-malware products.

"This created a perfect context to infect a pool of victims in China, see how the malware performs, do whatever needs fixing, and throw it into production," Botezatu explains.

In late Jan. and early Feb., researchers saw Scranos start spreading to other countries. Now, it has a global presence and is especially prevalent in India, Romania, Brazil, France, Italy, and Indonesia. Its growth is a sign that operators believe it's mature enough to be monetized.

Inside Scranos: a Work in Progress

The cracked software or Trojanized app is bundled with the initial dropper, which doubles as a password stealer and steals cookies, login credentials, and payment data from Facebook, YouTube, Amazon, and Airbnb before sending it to the C&C. From there, the dropper installs the rootkit, which achieves persistence and injects a downloader into a legitimate process so attackers can download future payloads. The downloader also sends system data to the C&C.

Researchers discovered several types of payloads linked to Scranos. One adware file manipulates YouTube pages and gets victims to start and mute videos, subscribe to channels, and click advertisements by entering instructions in Chrome in debugging mode. Another payload installs adware extensions in Chrome. A Facebook spam payload sends friend requests to other users, and spams contacts with links to malicious Android apps.

Scranos' authors are continuously improving old components and testing new ones on already infected computers. "They're still in the experimentation stage," says Botezatu. Right now, authors are tinkering with code and trying to get a foothold on devices while fixing bugs. He anticipates they're also likely advertising their wares on underground forums.

The many components for Scranos serve different purposes, but researchers note these functions are among the most important:

  • Extract cookies and steal login credentials from Chrome, Chromium, Firefox, Opera, Edge, Internet Explorer, Baidu, and Yandex browsers
  • Steal payment accounts from Facebook, Amazon, and Airbnb
  • Send friend requests from the user's Facebook account to other accounts
  • Inject JavaScript adware into Internet ExplorerExfiltrate browsing history
  • Subscribe users to YouTube channels
  • Silently display ads or muted YouTube videos to users via Chrome

"Their approach is pretty unique," says Botezatu of Scranos' authors. This threat is more aggressive and versatile than adware: it hunts for personal information, credit card data, and social media data; the Facebook tool lets them spread to mobile devices. He notes there has been increased interest in both data collection and YouTube manipulation capabilities. 

System drivers are tough to spot as they're hidden in the Windows directory. "It's very difficult for a regular person, who is not into forensics, to spot any malicious activity until it's too late," he says. One sign of infection is social activity: if you notice Facebook or YouTube displaying activity from you that you didn't initiate, it's a sign someone else is controlling your account.

While it's difficult to predict what attackers will do next, Botezatu expects Scranos' next big step will be using its footholds to deliver more nefarious third-party malware. Its next monetization scheme could be making the platform available to different cybercrime groups, he says, or using ransomware to generate quick cash from its growing pool of victims.

Related Content:

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
4/16/2019 | 3:20:23 PM
For a smile
This has to be sister of Thanos in the next Avenger's movie for 2025 release. 
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/30/2020
6 Ways Passwords Fail Basic Security Tests
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/28/2020
'Act of War' Clause Could Nix Cyber Insurance Payouts
Robert Lemos, Contributing Writer,  10/29/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How to Measure and Reduce Cybersecurity Risk in Your Organization
In this Tech Digest, we examine the difficult practice of measuring cyber-risk that has long been an elusive target for enterprises. Download it today!
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27652
PUBLISHED: 2020-10-29
Algorithm downgrade vulnerability in QuickConnect in Synology DiskStation Manager (DSM) before 6.2.3-25426-2 allows man-in-the-middle attackers to spoof servers and obtain sensitive information via unspecified vectors.
CVE-2020-27653
PUBLISHED: 2020-10-29
Algorithm downgrade vulnerability in QuickConnect in Synology Router Manager (SRM) before 1.2.4-8081 allows man-in-the-middle attackers to spoof servers and obtain sensitive information via unspecified vectors.
CVE-2020-27654
PUBLISHED: 2020-10-29
Improper access control vulnerability in lbd in Synology Router Manager (SRM) before 1.2.4-8081 allows remote attackers to execute arbitrary commands via port (1) 7786/tcp or (2) 7787/tcp.
CVE-2020-27655
PUBLISHED: 2020-10-29
Improper access control vulnerability in Synology Router Manager (SRM) before 1.2.4-8081 allows remote attackers to access restricted resources via inbound QuickConnect traffic.
CVE-2020-27656
PUBLISHED: 2020-10-29
Cleartext transmission of sensitive information vulnerability in DDNS in Synology DiskStation Manager (DSM) before 6.2.3-25426-2 allows man-in-the-middle attackers to eavesdrop authentication information of DNSExit via unspecified vectors.