Fri. Jun 5th, 2020

Scranos, A New Rootkit Malware, Expands Operations From China to the Rest of the World

Image: Bitdefender

A new malware that was previously limited to China has expanded to infect users from all over the world.


Although Scranos only emerged in recent months, new research from anti-virus firm Bitdefender shows that infections have skyrocketed. And, the victims tend to be users who have a bad habit of downloading and installing cracked software applications.


According to Bitdefender experts, these apps are infected with the relatively new malware strain Scranos, a rootkit driver that allows the malware to take full control over a users’ systems in the early stages. Although Bitdefender describes Scranos as a “work in progress,” the malware is still very dangerous as it is.


One of the most dangerous features of Scranos is that once it infects a host computer, it can phone home to its command and control server for additional instructions, which typically includes downloading additional malware.


Although Scranos does not have all of the features typically found in more complex malware strains, it has enough components to put users’ data at risk. For instance, the malware can inject custom code libraries into browsers, such as Chrome, Firefox, Edge, Baidu, to name a few, then it targets Facebook, YouTube, Amazon, and Airbnb accounts, gathering data to send back to the malware operator.


Other features of Scranos are:

  • Send friend requests to other accounts, from the user’s Facebook account.
  • Send phishing messages to the victim’s Facebook friends containing malicious APKs used to infect Android users as well.
  • Steal login credentials for the user’s account on Steam.
  • Inject JavaScript adware in Internet Explorer.
  • Steal login credentials for the user’s account on Steam.
  • Inject JavaScript adware in Internet Explorer.
  • Install Chrome/Opera extensions to inject JavaScript adware on these browsers as well.
  • Exfiltrate browsing history.
  • Silently display ads or muted YouTube videos to users via Chrome. We found some droppers that can install Chrome if it is not already on the victim’s computer.
  • Subscribe users to YouTube video channels.
  • Download and execute any payload.


Even worse, Scranos doesn’t seem to be limited to one or two platforms, and it can infect all known Windows Versions, from XP to Windows 10. So far the most infections have been reported in India, Romania, Brazil, France, Italy, and Indonesia.


Bitdefender has also found cases where Scranos was used to install rogue extensions in users’ browsers and to subscribe thousands of users to specific YouTube Channels.


Additionally, Bitdefender experts believe that the person/s behind Scranos is set on creating a powerful new malware strain.


“This operation is constantly evolving, as demonstrated by the fact that its developers build in new functionalities rather than rely on external tools that may be detected as malicious,” researchers said.


Because Scranos contains features typically found in backdoor trojans, infostealers, and adware families, it’s hard to classify it as a particular threat. But the feature with the highest priority for removal is Scranos’ rootkit.


Luckily, the Bitdefender report contains detailed step-by-step removal instructions, to download it, click here.