Anti-Malware Research Whitepapers

Inside Scranos – A Cross Platform, Rootkit-Enabled Spyware Operation

Last year, the Bitdefender Cyber Threat Intelligence Lab started analysis of a new password- and data-stealing operation based around a rootkit driver digitally signed with a possibly stolen certificate. The operation, partially described in a recent article by Tencent, primarily targeted Chinese territory until recently, when it broke out around the world.

Despite the sophistication, this attack looks like a work in progress, with many components in the early stage of development. Although the campaign has not reached the magnitude of the Zacinlo adware campaign, it is already infecting users worldwide.

We discovered that the operators of this rootkit-enabled spyware are continuously testing new components on already-infected users and regularly making minor improvement to old components. The various components can serve different purposes or take different approaches to achieving their goals.  Some of the most important components shipped with the malware can achieve the following:

  • Extract cookies and steal login credentials from Google Chrome, Chromium, Mozilla Firefox, Opera, Microsoft Edge, Internet Explorer, Baidu Browser and Yandex Browser.
  • Steal a user’s payment accounts from his Facebook, Amazon and Airbnb webpages.
  • Send friend requests to other accounts, from the user’s Facebook account.
  • Send phishing messages to the victim’s Facebook friends containing malicious APKs used to infect Android users as well.
  • Steal login credentials for the user’s account on Steam.
  • Inject JavaScript adware in Internet Explorer.
  • Install Chrome/Opera extensions to inject JavaScript adware on these browsers as well.
  • Exfiltrate browsing history.
  • Silently display ads or muted YouTube videos to users via Chrome. We found some droppers that can install Chrome if it is not already on the victim’s computer.
  • Subscribe users to YouTube video channels.
  • Download and execute any payload.

Want to learn more? Download the full paper below:

Inside Scranos – A Cross Platform, Rootkit-Enabled Spyware Operation

About the author

Avatar

Bogdan BOTEZATU

Bogdan Botezatu is living his second childhood at Bitdefender as senior e-threat analyst. When he is not documenting sophisticated strains of malware or writing removal tools, he teaches extreme sports such as surfing the web without protection or rodeo with wild Trojan horses. He believes that most things in life can be beat with strong heuristics and that antimalware research is like working for a secret agency: you need to stay focused at all times, but you get all the glory when you catch the bad guys.

About the author

Cristofor OCHINCA

Cristofor OCHINCA

Security Researcher, Cyber Threat Intelligence Lab

At 12 he fell in love with C. At 17 he fell in love with Assembly and the art of pen-testing. At 23 he fell in love with AI and its applications in cyber security. Staying up to date with the latest innovations not only in the topics mentioned, but in tech in general is a passion rooted deep in his core mentality. Loves nature and meditation.

About the author

Andrei ARDELEAN

Andrei ARDELEAN

Security Researcher

Andrei Ardelean has been doing security research at Bitdefender since his second year in university. He is passionate about computer science and engineering and believes the best way to keep you on your computer science toes is doing research in security. He likes hidden details and thinks that having his beliefs and ideas challenged is a great way to get a different perspective on a subject. When he isn't fiddling around with a computer, he likes playing sports and learning something new.