Scranos is the name of a new rootkit-enabled spyware which despite its current sophistication appears to be “work-in-progress”. Bitdefender researchers recently discovered that the operators of Scranos are continuously testing new components on already-infected users and regularly making minor improvement to old components.
|Type||Spyware, Rootkit, Adware|
|Short Description||Scranos is a sophisticated spyware equipped with a rootkit driver which can perform a series of malicious activities. See article for details.|
|Distribution Method||Trojanized Apps, Cracked Software|
|Detection Tool|| See If Your System Has Been Affected by Scranos |
Malware Removal Tool
|User Experience||Join Our Forum to Discuss Scranos.|
|Data Recovery Tool||Windows Data Recovery by Stellar JoeGo Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
Scranos Spyware in Detail
According to the latest report, the spyware contains various components that can serve different purposes and can be deployed in various scenarios.
Some of the most crucial components that come with Scranos have the following capabilities:
– Extract cookies and steal login credentials from popular browsers including Google Chrome, Chromium, Mozilla – Firefox, Opera, Microsoft Edge, Internet Explorer, Baidu Browser and Yandex Browser.
– Steal users’ payment accounts from Facebook, Amazon and Airbnb webpages.
– Send friend requests to other accounts, from the user’s Facebook account.
– Send phishing messages to the infected user’s Facebook friends which contain malicious APKs used to infect Android users as well.
– Steal login credentials for the user’s account on Steam.
– Exfiltrate browsing history.
– Silently display ads or muted YouTube videos to users via Chrome. The researchers discovered some droppers that can install Chrome if it is not already on the victim’s computer.
– Subscribe users to YouTube video channels.
– Download and execute any payload.
How Is Scranos Spyware Spread?
Not surprisingly, the malware is spread via Trojanized applications in the form cracked software, or software posing as useful as e-book readers, video players, drivers or even anti-malware products, the researchers said.
Upon execution, Scranos also installs a rootkit driver to disguise the malware and make it persistent on the system. The next step of the infection chain is “phoning home” and receiving commands on what other components to download and install. The report says that Scranos is infecting users on a global scale, with India, Romania, France, Italy and Indonesia having prevalent infections.
It is noteworthy that all identified Scranos samples confirm that this operation is in a consolidation stage:
the oldest samples identified date back to November 2018, with a massive spike in December and January. However, in March 2019, the command and control servers started pushing other strains of malware – a clear indicator that the network is now affiliated with third parties in pay-per install schemes.
The malware is also capable of interacting with specific websites on the victim’s behalf. More specifically, the malware is aggressively promoting four YouTube videos on different channels.
As for the rootkit driver, it utilizes an effective persistence mechanism of rewriting itself at shutdown but it doesn’t hide itself. The rootkit injects a downloader into a legitimate process, which then downloads one or more payloads.
Note that the rootkit it is not protected against deletion if detected. Besides the driver itself, no other components can be found on disk, as they are deleted after running. However, they can be downloaded again if needed, the report notes.
Long story short, users should be extremely careful with their online behavior. This malware is yet another reminder of how sophisticated attacks are becoming. For example one of the payloads of the Scranos campaign is manipulating other pages instead of YouTube, by interacting with ads displayed inside these pages:
How to Remove Scranos Spyware
Needless to say, rootkits and spyware are quite cunning and therefore, challenging to remove. There are steps however, that can rid your system of the malware and its rootkit component:
1. Close your browser(s).
2. Kill all processes running from temporary path. Remove files that are detected as malicious.
3. Kill rundll32.exe process.
4. Generate the rootkit file name as follows:
– Get current user’s SID.
– Compute MD5 of the string resulted from a).
– Get the first 12 characters from b).
5. Run a cmd or PowerShell window with Administrator rights and type: >sc stop sc delete .sys and delete the file.
7. Remove the DNS driver (below, MOIYZBWQSO should be replaced with your particular driver name):
– Check if the DNS driver is installed: in %TEMP% should be a file with 10 random uppercase letters (ex: MOIYZBWQSO. sys). In the Registry there should also be a key corresponding to the name (ex: HKEY_LOCAL_MACHINE\SYSTEM\ CurrentControlSet\Services\MOIYZBWQSO)
– Run a cmd or PowerShell window with Administrator rights and type:
– sc stop MOIYZBWQSO
– sc delete MOIYZBWQSO –
– Delete the file %TEMP%\MOIYZBWQSO.sys 8) Reb oot your PC to remove the injected code from the svchost.exe process. 9. Remove any suspicious extension from your browsers.
10. Change all your passwords.