A new rootkit-enabled spyware operation has been discovered in which hackers distribute multifunctional malware disguised as cracked software or trojanized apps masquerading as legitimate software such as video players, drivers, and even anti-virus products.
While the rootkit malware known as Scranos, which was discovered late last year, appears to be a work in progress, it is constantly evolving, testing new components and improving old ones, making it a significant threat.
Scranton has a modular design and can already steal login credentials and payment accounts from various popular services, exfiltrate browsing history and cookies, get YouTube subscribers, display ads, and download and execute any payload.
The malware gains persistence on infected machines by installing a digitally-signed rootkit driver, according to a 48-page in-depth report Bitdefender shared with The Hacker News prior to its release.
Researchers believe attackers obtained the valid digital code-signing certificate fraudulently, which was issued to Yun Yu Health Management Consulting (Shanghai) Co., Ltd. and was not revoked at the time of writing.
“To achieve persistence, the rootkit registers a Shutdown callback. The driver is written to disk at shutdown, and a start-up service key is created in the Registry “According to the researchers.
When the rootkit malware infects a legitimate process, it injects a downloader into it, which then communicates with the attacker-controlled Command-and-Control (C&C) server and downloads one or more payloads.
Here are some examples of data and password-stealing payloads:
Password and Web History Payload Theft — Browser cookies and login credentials are stolen from Google Chrome, Chromium, Mozilla Firefox, Opera, Microsoft Edge, Internet Explorer, Baidu Browser, and Yandex. It can also steal cookies and login information from victims’ Facebook, YouTube, Amazon, and Airbnb accounts.
Extension Installer Payload — This payload installs adware extensions in Chrome and injects malicious or malware-laden advertisements on all web pages visited by users. A few samples were also discovered installing bogus browser extensions like Chrome Filter, Fierce-tips, and PDF Maker.
Steam Data Stealer Payload — This component steals and sends the attacker’s server victims’ Steam account credentials and information, including the list of installed apps and games and hardcoded versions.
Malware interacts with Facebook and YouTube on behalf of victims
Some payloads can even interact with websites on behalf of the victim, such as:
YouTube subscriber payload — This payload manipulates YouTube pages by running Chrome in debug mode and instructing the browser to perform various actions on a webpage such as starting a video, muting a video, subscribing to a channel, and clicking advertisements.
Facebook Spammer Payload — Using cookies and other tokens obtained from other users, attackers can instruct the malware to send Facebook friend requests to other users. It can also send private messages with links to malicious Android APKs to the victim’s Facebook friends.
Adware for Android — The malware app, disguised as the legitimate “Accurate scanning of QR code” app available on Google Play, aggressively displays ads, tracks infected victims, and uses the same C&C server as the Windows malware.
Scranos steals credit card information from well-known websites
The following is a list of DLLs found in the main dropper:
Facebook DLL — This DLL extracts information from user Facebook accounts, such as payment accounts, friend lists, and whether or not they are page administrators.
Amazon DLL — This DLL retrieves data from the user’s Amazon account. Researchers discovered a variant of this DLL that was designed to extract data from logged-in Airbnb accounts.
According to Bitdefender researchers, Scranos targets users worldwide, but “it appears to be more prevalent in India, Romania, Brazil, France, Italy, and Indonesia.”
The earliest sample of this malware was discovered in November 2018, with a massive spike in December and January, but in March 2019, Scranos began pushing other strains of malware, which researchers say is “a clear indicator that the network is now affiliated with third parties in pay-per-install schemes.”