Inside Scranos – A Cross Platform, Rootkit-Enabled Spyware Operation
Last year, the Bitdefender Cyber Threat Intelligence Lab started analysis of a new password- and data-stealing operation based around a rootkit driver digitally signed with a possibly stolen certificate. The operation, partially described in a recent article by Tencent, primarily targeted Chinese territory until recently, when it broke out around the world.
Despite the sophistication, this attack looks like a work in progress, with many components in the early stage of development. Although the campaign has not reached the magnitude of the Zacinlo adware campaign, it is already infecting users worldwide.
We discovered that the operators of this rootkit-enabled spyware are continuously testing new components on already-infected users and regularly making minor improvement to old components. The various components can serve different purposes or take different approaches to achieving their goals. Some of the most important components shipped with the malware can achieve the following:
- Extract cookies and steal login credentials from Google Chrome, Chromium, Mozilla Firefox, Opera, Microsoft Edge, Internet Explorer, Baidu Browser and Yandex Browser.
- Steal a user’s payment accounts from his Facebook, Amazon and Airbnb webpages.
- Send friend requests to other accounts, from the user’s Facebook account.
- Send phishing messages to the victim’s Facebook friends containing malicious APKs used to infect Android users as well.
- Steal login credentials for the user’s account on Steam.
- Exfiltrate browsing history.
- Silently display ads or muted YouTubevideos to users via Chrome. We found some droppers that can install Chrome if it is not already on the victim’s computer.
- Subscribe users to YouTube video channels.
- Download and execute any payload.
Want to learn more? Download the full paper below:
LuminousMoth – PlugX, File Exfiltration and Persistence Revisited
July 21, 2021
How We Tracked a Threat Group Running an Active Cryptojacking Campaign
July 14, 2021
A Note from the Bitdefender Labs Team on Ransomware and Decryptors
May 26, 2021
New Nebulae Backdoor Linked with the NAIKON Group
April 28, 2021
Good riddance, GandCrab! We’re still fixing the mess you left behind.
June 17, 2019