Scranos rootkit expands operations from China to the rest of the world

Rise of new multi-functional rootkit-backdoor-infostealer-adware strain worries researchers.

source code bytecode

A malware operation previously limited to China's borders has expanded over the past few months to infect users from all over the world, antivirus firm Bitdefender said in a report published today.

Users who have the bad habit of downloading and installing cracked software applications are at the highest risk.

According to Bitdefender experts, these apps are laced with a relatively new malware strain named Scranos. The most important piece of this malware is a rootkit driver that's hidden inside the tainted apps and which allows the malware to gain boot persistence and take full control over users' systems in the early stages of an infection.

A very dangerous "work in progress"

Although Bitdefender describes Scranos as "a work in progress, with many components in the early stage of development," the malware is still very dangerous as it is.

That's because Scranos is a modular threat that once it infects a host computer, it can ping its command and control (C&C) server for additional instructions, and then download small modules to execute a fine set of operations.

The malware may not have modules for all the features supported by more complex malware strains, but it has enough components to put users and their data at risk, while also being a huge annoyance due to its adware-like features.

At the time of writing, Bitdefender has documented the following modules/features in a 48-page report the company shared with ZDNet:

  • Extract cookies and steal login credentials from Google Chrome, Chromium, Mozilla Firefox, Opera, Microsoft Edge, Internet
    Explorer, Baidu Browser and Yandex Browser.
  • Steal a user's payment accounts from his Facebook, Amazon and Airbnb webpages.
  • Send friend requests to other accounts, from the user's Facebook account.
  • Send phishing messages to the victim's Facebook friends containing malicious APKs used to infect Android users as well.
  • Steal login credentials for the user's account on Steam.
  • Inject JavaScript adware in Internet Explorer.
  • Install Chrome/Opera extensions to inject JavaScript adware on these browsers as well.
  • Exfiltrate browsing history.
  • Silently display ads or muted YouTube videos to users via Chrome. We found some droppers that can install Chrome if it is not already on the victim's computer.
  • Subcribe users to YouTube video channels.
  • Download and execute any payload.

Scranos has already infected thousands

Bitdefender says the malware is nowhere near as widespread and prevalent as the Zacinlo adware campaign it detected last June.

Nevertheless, the Scranos operation has started expanding operations beyond its original Chinese targeting, already infecting thousands, based on Bitdefender's view. Currently, Scranos is making victims all over the world, but most infections have been reported in India, Romania, Brazil, France, Italy, and Indonesia.

Scranos infection map

Image: Bitdefender

The bad news is that Scranos doesn't seem limited to one or two platforms only, and can infect all known Windows versions, from XP to Windows 10, with the most victims found on Windows 10 and 7, respectively.

Scranos infection distribution

Image: Bitdefender

Antivirus companies often spot in-dev malware on VirusTotal and while malware operators perform tests, but all signs point to Scranos being a successful malware development effort.

Bitdefender said it spotted cases where the malware has been used to install rogue extensions in users' browsers and to subscribe thousands of users to specific YouTube channels.

Scranos, the rootkit-backdoor-infostealer-adware

Whoever is behind Scranos is dead set on creating a powerful new malware strain, according to Bitdefender's team.

"This operation is constantly evolving, as demonstrated by the fact that its developers build in new functionalities rather than rely on
external tools that may be detected as malicious," researchers said.

It's hard to classify Scranos as a particular threat. It contains the features usually found in backdoor trojans, infostealers, and in adware families.

However, regardless of the active modules that have been downloaded and installed on a victim's computer, the most crucial one that needs to be removed with the highest priority is Scranos' rootkit.

Luckily, the Bitdefender report contains detailed step-by-step removal instructions for any users to follow.

Related malware and cybercrime coverage: