A sophisticated spyware campaign utilizing a rootkit has come to light, wherein cybercriminals disseminate multifunctional malware masquerading as legitimate cracked software or as trojanized applications, often mimicking popular video players, drivers, and even antivirus tools. Known as Scranos, this rootkit malware was initially identified late last year and continues to evolve, refining its components while adding new functionalities, positioning it as a significant cybersecurity threat.
The Scranos malware architecture is modular, equipped with capabilities to hijack login credentials, exfiltrate payment information, and capture browsing history and cookies. Additionally, it can artificially inflate YouTube subscriber counts, deliver unwanted advertisements, and execute various payloads on infected systems. This makes it a multifaceted tool for attackers aiming to exploit users across multiple platforms.
A comprehensive report from Bitdefender outlines that Scranos establishes persistence on compromised machines via the installation of a digitally signed rootkit driver. Researchers believe the attackers procured a valid digital code-signing certificate, originally issued to Yun Yu Health Management Consulting in Shanghai, China, which remains unrevoked as of now. The rootkit’s design allows it to register a shutdown callback, ensuring it survives system reboots by writing itself to disk and creating registry keys.
Upon infection, Scranos injects a downloader into a legitimate process, enabling communication with a Command-and-Control (C&C) server controlled by the attackers, from which it can fetch additional payloads. Among these are password and browsing history theft modules that compromise credentials from popular web browsers such as Google Chrome, Mozilla Firefox, and Microsoft Edge, as well as from accounts including Facebook and Amazon.
Another payload type includes an extension installer that adds adware extensions to browsers, injecting unwanted advertisements into browsing sessions. There’s also a targeting component for Steam, capable of stealing user credentials and game-related data. This multi-layer approach accentuates the malware’s reach and impact.
Certain payloads possess the ability to act autonomously on behalf of victims on platforms such as YouTube and Facebook. For instance, a payload can manipulate YouTube user interactions through debugging, simulating actions like video playback and subscription. This indicates a strategic use of social engineering to enhance the attackers’ control over the accounts.
Additionally, the malware can exploit Facebook, sending friend requests and private messages that potentially disseminate malicious links to the victim’s contacts. The Scranos operation extends to compromised Android devices, where it has disguised itself as a legitimate app, continuously tracking users and employing the same C&C infrastructure as its Windows counterparts.
The malware has been shown to harvest sensitive payment information from major platforms—such as Facebook and Amazon—further extending the damage that can be wrought from a single infection. Researchers observed that Scranos appears to be most prevalent in regions including India, Romania, Brazil, France, Italy, and Indonesia, suggesting a broad targeting strategy.
The first known sample of Scranos dates back to November 2018, with reports of increased activity during the subsequent months. By March 2019, the malware had begun deploying other strains, indicating a potential partnership with third-party entities as part of a pay-per-install scheme and raising concerns about expanding networks of cybercrime.
Scranos exemplifies a rich tapestry of threats that leverage various MITRE ATT&CK tactics including initial access through social techniques, persistence via rootkit mechanisms, credential theft techniques, and interaction with legitimate user accounts to further their malicious agenda. As businesses remain increasingly interconnected through digital platforms, understanding and fortifying defenses against such multifaceted threats is critical for safeguarding sensitive information.
