{"id":26798,"date":"2019-04-16T19:10:00","date_gmt":"2019-04-16T19:10:00","guid":{"rendered":"https:\/\/www.darkreading.com\/vulnerabilities---threats\/meet-scranos-new-rootkit-based-malware-gains-confidence\/d\/d-id\/1334436"},"modified":"2019-04-16T19:10:00","modified_gmt":"2019-04-16T19:10:00","slug":"meet-scranos-new-rootkit-based-malware-gains-confidence","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/meet-scranos-new-rootkit-based-malware-gains-confidence\/","title":{"rendered":"Meet Scranos: New Rootkit-Based Malware Gains Confidence"},"content":{"rendered":"
\n<\/header>\n

The cross-platform operation, first tested on victims in China, has begun to spread around the world.<\/span> <\/p>\n

A new rootkit-based malware family known as “Scranos” is being used in global cyberattacks as its authors grow their potential target base while adding new components and fixing bugs.<\/p>\n

The cross-platform threat was first detected by Bitdefender researchers in mid-December; the team has been tracking it ever since. Its rootkit component was what made Scranos stand out, says Bogdan “Bob” Botezatu, Bitdefender’s head of threat research and reporting. Rootkit-based malware is rare, he says, and accounts for less than 1% of the malware they see daily. Researchers watch for rootkits because they’re usually linked to high-profile attacks, he adds.<\/p>\n

Scranos is a password- and data-stealing operation based around a rootkit driver, which has been digitally signed with a certificate believed to be stolen. When it was first detected, Scranos was localized to the Asian market; specifically, China. Botezatu hypothesizes China’s technology restrictions and security practices made for an appealing test ground to cyberattackers. <\/p>\n

“My guess \u2013 and it’s still a guess \u2013 is that the cybercriminals started up and ran a test on the Chinese market \u2026 it’s much easier to infect people in China or India, than in the rest of the world,” he says. Piracy in these regions is still high and people are more likely to download apps from third-party stores. There, Scranos often lies disguised as cracked software or apps posing as legitimate software including ebook readers, video players, and anti-malware products.<\/p>\n

“This created a perfect context to infect a pool of victims in China, see how the malware performs, do whatever needs fixing, and throw it into production,” Botezatu explains.<\/p>\n

In late Jan. and early Feb., researchers saw Scranos start spreading to other countries. Now, it has a global presence and is especially prevalent in India, Romania, Brazil, France, Italy, and Indonesia. Its growth is a sign that operators believe it’s mature enough to be monetized.<\/p>\n

Inside Scranos: a Work in Progress<\/strong><\/p>\n

The cracked software or Trojanized app is bundled with the initial dropper, which doubles as a password stealer and steals cookies, login credentials, and payment data from Facebook, YouTube, Amazon, and Airbnb before sending it to the C&C. From there, the dropper installs the rootkit, which achieves persistence and injects a downloader into a legitimate process so attackers can download future payloads. The downloader also sends system data to the C&C.<\/p>\n

Researchers discovered<\/a> several types of payloads linked to Scranos. One adware file manipulates YouTube pages and gets victims to start and mute videos, subscribe to channels, and click advertisements by entering instructions in Chrome in debugging mode. Another payload installs adware extensions in Chrome. A Facebook spam payload sends friend requests to other users, and spams contacts with links to malicious Android apps.<\/p>\n

Scranos’ authors are continuously improving old components and testing new ones on already infected computers. “They’re still in the experimentation stage,” says Botezatu. Right now, authors are tinkering with code and trying to get a foothold on devices while fixing bugs. He anticipates they’re also likely advertising their wares on underground forums.<\/p>\n

The many components for Scranos serve different purposes, but researchers note these functions are among the most important:<\/p>\n