Scranos: New Rapidly Evolving Rootkit-Enabled Spyware Discovered

A new rootkit-enabled spyware operation has been discovered in which hackers distribute multifunctional malware disguised as cracked software or trojanized apps masquerading as legitimate software such as video players, drivers, and even anti-virus products.

While the rootkit malware known as Scranos, which was discovered late last year, appears to be a work in progress, it is constantly evolving, testing new components and improving old ones, making it a significant threat.

Scranton has a modular design and can already steal login credentials and payment accounts from various popular services, exfiltrate browsing history and cookies, get YouTube subscribers, display ads, and download and execute any payload.

The malware gains persistence on infected machines by installing a digitally-signed rootkit driver, according to a 48-page in-depth report Bitdefender shared with The Hacker News prior to its release.

Researchers believe attackers obtained the valid digital code-signing certificate fraudulently, which was issued to Yun Yu Health Management Consulting (Shanghai) Co., Ltd. and was not revoked at the time of writing.

“To achieve persistence, the rootkit registers a Shutdown callback. The driver is written to disk at shutdown, and a start-up service key is created in the Registry “According to the researchers.

When the rootkit malware infects a legitimate process, it injects a downloader into it, which then communicates with the attacker-controlled Command-and-Control (C&C) server and downloads one or more payloads.

Here are some examples of data and password-stealing payloads:

Password and Web History Payload Theft — Browser cookies and login credentials are stolen from Google Chrome, Chromium, Mozilla Firefox, Opera, Microsoft Edge, Internet Explorer, Baidu Browser, and Yandex. It can also steal cookies and login information from victims’ Facebook, YouTube, Amazon, and Airbnb accounts.

Extension Installer Payload — This payload installs adware extensions in Chrome and injects malicious or malware-laden advertisements on all web pages visited by users. A few samples were also discovered installing bogus browser extensions like Chrome Filter, Fierce-tips, and PDF Maker.

Steam Data Stealer Payload — This component steals and sends the attacker’s server victims’ Steam account credentials and information, including the list of installed apps and games and hardcoded versions.

Malware interacts with Facebook and YouTube on behalf of victims

Some payloads can even interact with websites on behalf of the victim, such as:

YouTube subscriber payload — This payload manipulates YouTube pages by running Chrome in debug mode and instructing the browser to perform various actions on a webpage such as starting a video, muting a video, subscribing to a channel, and clicking advertisements.

Facebook Spammer Payload — Using cookies and other tokens obtained from other users, attackers can instruct the malware to send Facebook friend requests to other users. It can also send private messages with links to malicious Android APKs to the victim’s Facebook friends.

Adware for Android — The malware app, disguised as the legitimate “Accurate scanning of QR code” app available on Google Play, aggressively displays ads, tracks infected victims, and uses the same C&C server as the Windows malware.

Scranos steals credit card information from well-known websites

The following is a list of DLLs found in the main dropper:

Facebook DLL — This DLL extracts information from user Facebook accounts, such as payment accounts, friend lists, and whether or not they are page administrators.

Amazon DLL — This DLL retrieves data from the user’s Amazon account. Researchers discovered a variant of this DLL that was designed to extract data from logged-in Airbnb accounts.

According to Bitdefender researchers, Scranos targets users worldwide, but “it appears to be more prevalent in India, Romania, Brazil, France, Italy, and Indonesia.”

The earliest sample of this malware was discovered in November 2018, with a massive spike in December and January, but in March 2019, Scranos began pushing other strains of malware, which researchers say is “a clear indicator that the network is now affiliated with third parties in pay-per-install schemes.”

Why Trust Us?

Best Top Reviews Online was established in 2018 to provide our readers with detailed, truthful, and impartial advice on what to buy. We now have millions of monthly users from all over the world and annually evaluate over a thousand products.

The above article was written by the BestTopReviewsOnline team, which consists of some of the most knowledgeable technical experts in the United States. Our team consists of highly regarded writers with vast experience in smartphones, computer components, technology apps, security, and photography, among other fields.

Related Stories

  • All Post
  • Best Picks
  • Explainers
  • How To
  • News
  • Versus
Ransomware Victims Are Fully Refusing To Pay

January 20, 2023

Cybercriminals’ preferred method of extortion is declining. Briefly, ransomware-type malware threats encrypt files and then demand payment in cryptocurrency from victims to decrypt them. In 2022, however, the market began to shift as fewer businesses elected to be blackmailed. According…

Get more info



Best Products

Buying Guides

Contact Us

About Us

We provide a platform for our customers to rate and review services and products, as well as the stores that sell them. We research and compare the most popular brands and models before narrowing it down to the top ten, providing you with the most comprehensive and reliable buying advice to help you make your decision.

Disclaimer is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to As an Amazon Associate I earn from qualifying purchases.


Address & Map

20 S Santa Cruz Ave, Suite 300, Los Gatos, CA 95030, United States

© 2022 Pty. Ltd. All Rights Reserved. Licensing: All third-party trademarks, images, and copyrights used on this page are for comparative advertising, criticism, or review. As this is a public forum where users can express their opinions on specific products and businesses, the opinions expressed do not reflect those of