Scranos malware expands from China, goes global

News by Mark Mayne

A new malware campaign previously only found in China has widened operations to target enterprises and users across the globe.

A highly sophisticated malware campaign dubbed Scranos has begun to spread globally, after originally targeting mainland China. The password- and data-stealing operation is based around a rootkit driver digitally signed with a possibly stolen certificate, according to the Bitdefender Cyber Threat Intelligence Lab, and is being continually tested and upgraded for maximum effectiveness.

Bogdan Botezatu, senior e-threat analyst at Bitdefender told SC Media UK that Scranos represents a real and sophisticated threat: "Scranos is an extremely controversial piece of malware. On one hand, it employs a rootkit component, a technology that's present in less than one percent of the existing malware and that is mostly specific to highly targeted attacks or to high profile threat actor groups. On the other hand, it looks like its masters are testing their code in production, tweaking the malware to their needs on the go. But most of all, Scranos is extremely effective at both hiding from scrutiny and at hijacking accounts or exfiltrating payment information."

The malware mainly spreads via Trojanised applications disguised as cracked software, or applications posing as legitimate software such as e-book readers, video players, drivers or even antimalware products, according to Bitdefender, and is currently most prevalent in India, Romania, Brazil, France, Italy and Indonesia. Once executed, a rootkit driver is installed to ensure persistence, then the malware downloads other components as needed.

The Bitdefender researchers said that despite the sophistication, this attack "looks like a work in progress, with many components in the early stage of development", highlighting that worse may be yet to come. Indeed, in March 2019, the command and control servers started pushing other strains of malware, "a clear indicator that the network is now affiliated with third parties in pay-per install schemes", according to the company. In addition, the bulk of infections to date are Windows 10 (2799) and Windows 7 machines (1150), demonstrating that newer, more secure Windows versions are not immune (although most OS are not secure from targeted user-activated malware).

The main components identified so far can perform the following attacks:

• Extract cookies and steal login credentials from Google Chrome, Chromium, Mozilla Firefox, Opera, Microsoft Edge, Internet Explorer, Baidu Browser and Yandex Browser.

• Steal a user’s payment accounts from his Facebook, Amazon and Airbnb webpages.

• Send friend requests to other accounts, from the user’s Facebook account.

• Send phishing messages to the victim’s Facebook friends containing malicious APKs used to infect Android users as well. • Steal login credentials for the user’s account on Steam.

• Inject JavaScript adware in Internet Explorer.

• Install Chrome/Opera extensions to inject JavaScript adware on these browsers as well.

• Exfiltrate browsing history.

• Silently display ads or muted YouTube videos to users via Chrome.

• Subscribe users to YouTube video channels.

• Download and execute any payload.

Eoin Keary, CEO and co-founder of Edgescan said that enterprise admins should look to group policy controls to limit the spread of Scrnos: "Scranos is a memory rootkit that infects Windows systems posing as pirated or legitimate applications.

To reduce the risk of infection, local administration rights to install software should be restricted. Generally recognised as good practice, this should prevent users arbitrarily installing software on corporate machines.

Chrome enterprise admins should also block the ability to load extensions via the chrome browser, and Microsoft Browser admins can block extension installs via Group policy."

The Bitdefender report contains detailed step-by-step removal instructions, as well as a full list of IOCs for enterprise blacklists.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews