Scranos Revisited – Rethinking persistence to keep established network alive


June 25, 2019

Promo Protect all your devices, without slowing them down.
Free 30-day trial
Scranos Revisited – Rethinking persistence to keep established network alive

In April, Bitdefender broke the news of an emerging botnet dubbed Scranos. Originating from China, it has spread across Europe and the United States, snaring Windows and Android devices with advertising fraud and social network manipulation.

Our original report shone a spotlight on Scranos operators and exposed their illicit use of Authenticode certificates, and other actions. After Bitdefender reached out to Digicert to report the certificate used to sign the rootkit driver for malicious use, the Scranos operators lost their main mechanism to ensure persistence and disguise. When the the Scranos report was published, attackers saw their command and control infrastructure get flagged for malicious activity and shut down.

We kept an eye on the developments in the weeks after the publication and documented how the operators tried to rebuild the botnet and restore functionality. This led us to identify new components used to generate ad revenue in the background by visiting arbitrary URLs with Google Chrome and to disguise these ads as notifications, generating additional ad revenue at the user’s expense.

This report, which updates our original research, includes:

  • An overview of how the cybercrime group compensates for the loss of the stolen digital signing certificate by using another persistence method based on DLL hijacking of legitimate Microsoft executables.
  • A detailed account of how attackers are rebuilding the command and control infrastructure, and information about the domain generation algorithm in the new samples.
  • New functionality to replace hosts file – attackers can redirect any website to their own or restrict access to some domains altogether.
  • New payload used to generate ad revenue by visiting arbitrary URLs.
  • New script injected in visited pages for displaying ads and redirecting web searches.
  • Facebook data stealing payload still widely used.
  • A fake application developed by the attackers to disseminate the Scranos malware to new users.
  • Trojan pushed by Scranos capable of distributed denial of service (DDoS) attacks and disabling the Windows security services.
  • Trojan pushed by Scranos which turns the device into a cryptocurrency miner.

Want to learn more? Download the full paper below:

Download the whitepaper




Information security professional. Living my second childhood at @Bitdefender as director of threat research.

View all posts

You might also like