Scranos Rootkit Operation Turns Global; Enterprises to Improve Security Posture

Harish Agastya

May 03, 2019

Scranos Rootkit Operation Turns Global; Enterprises to Improve Security Posture

Sophisticated threats remain one of the main concerns in enterprises today. As environments grow in complexity, malware actors find innovative ways to infiltrate overlooked entry points in the network, hiding behind the scenes to wreak havoc without ever making a full-blown appearance.

Bitdefender Cyber-Threat Intelligence Labs have once again uncovered the intricacies of a new cross-platform spyware operation. Expectations are the rootkit-enabled Scranos campaign will spread at least as widely as the Zacinlo ad fraud operation, an extremely sophisticated piece of spyware that has been running covertly since early 2012, generating revenue for its operators and compromising the privacy of its victims.

Scranos is already infecting users worldwide because of its ability to survive across platforms, gaining a wider range of enterprise endpoints, particularly Android devices.


How It Works

Disguised as cracked software, or applications posing as legitimate software such as e-book readers, video players, drivers or even antimalware products, Scranos is now part of a bigger scheme. The command and control servers are pushing other strains of malware – a clear indicator that the network is now affiliated with third parties in pay-per install schemes.

The actors behind Scranos are continuously making tweaks to the malicious software, adding new components on already-infected users and improving the more mature functionalities.

One of the first entry points in an enterprise are its employees. According to recent studies, they continue to be the weakest link in corporate IT security and threat actors easily bypass them to infiltrate companies. Cyber-criminals are also exploiting the myriad of tools organizations are using from third-party vendors. Their latest attack vectors include targeting smaller and less protected enterprise suppliers.

As a rootkit-enabled operation, Scranos is designed to hide itself from system management and could easily disable firewalls and traditional antimalware, if instructed to do so. It is persistent and leverages cloaking capabilities to come back even after it was detected and removed.

With data exfiltration being the primary objective, the stakes are high: from risk management issues, to intellectual property theft and brand reputation damage. Compliance is also a major concern. In fact, “accelerating privacy regulation” has overtaken “talent shortages” as the top emerging risk for enterprises in Q1 2019, according to a recent Gartner study.

Scranos can also leverage enterprise infrastructure to launch further attacks, which poses serious legal concerns, affects brand reputation and, ultimately, the bottom line.


Addressing the entire threat lifecycle

By 2020, there will be over five billion personal data records stolen and $8 trillion lost to cybercrime, according to Juniper Research. As Scranos actors continue to fine-tune malware components, the password- and data-stealing operation becomes stronger and eludes traditional endpoint protection.

A box-checking approach that includes firewalls and 8-digit passwords is no longer enough when dealing with stealthy and persistent threats. Anti-rootkit, anti-ransomware, behavioral analysis, advanced threat control, and machine learning capabilities are key to detecting and blocking sophisticated attacks.

To improve their security posture, enterprises also need to enhance their detection and response capabilities. Security should become more agile so that it moves and scales along with the business and the increasing number of “things” that need to be protected.

To mitigate sophisticated threats, Security Operations Centers need visibility into post-compromise detection. An optimized solution includes advanced protection, detection, and response, and addresses the entire threat lifecycle.

Technologies that SOC analysts can leverage include Sandbox Analyzer for detailed analytics on sophisticated threats, Network Traffic Security Analytics to analyze network traffic and endpoint traffic anomalies, and Hypervisor-based memory introspection to identify zero-days as easily as any known exploit.


Analyzing Indicators of Compromise

When dealing with complex operations, SOC analysts not only need to block them, but also understand threat actors, and automate responses to multiple attack vectors. To do so, they need to arm themselves with real-time insights that improve threat hunting and reduce time spent chasing “ghosts”.

In their deep dive into the Scranos rootkit operation, Bitdefender Cyber-Threat Intelligence Labs uncovered hundreds of unique Indicators of Compromise including files hashes, domains, registry keys, URLs, and IPs.

The Scranos rootkit research is only part of their everyday threat investigation work. On a daily basis, our labs analyze and block approximately 600,000 IoCs using multiple technologies including machine learning, advanced heuristics, and content analysis.

Top-rated advanced threat intelligence that includes curated IoC data on unique, sophisticated threats such as Scranos has recently been made available for businesses and security operations centers worldwide.



Harish Agastya

Harish Agastya is VP of Enterprise Solutions at Bitdefender where he is responsible for the company’s enterprise business products and services portfolio. Agastya’s career spans over 25 years in high-tech B2B marketing, product management and R&D. Prior to joining Bitdefender, he held executive roles in marketing and products at other security companies. Agastya has an MBA from UC Berkeley and an MS in Computer Science from Penn State.

View all posts

You might also like