Anti-Malware Research Whitepapers

Scranos Revisited – Rethinking persistence to keep established network alive

In April, Bitdefender broke the news of an emerging botnet dubbed Scranos. Originating from China, it has spread across Europe and the United States, snaring Windows and Android devices with advertising fraud and social network manipulation.

Our original report shone a spotlight on Scranos operators and exposed their illicit use of Authenticode certificates, and other actions. After Bitdefender reached out to Digicert to report the certificate used to sign the rootkit driver for malicious use, the Scranos operators lost their main mechanism to ensure persistence and disguise. When the the Scranos report was published, attackers saw their command and control infrastructure get flagged for malicious activity and shut down.

We kept an eye on the developments in the weeks after the publication and documented how the operators tried to rebuild the botnet and restore functionality. This led us to identify new components used to generate ad revenue in the background by visiting arbitrary URLs with Google Chrome and to disguise these ads as notifications, generating additional ad revenue at the user’s expense. 

This report, which updates our original research, includes:

  • An overview of how the cybercrime group compensates for the loss of the stolen digital signing certificate by using another persistence method based on DLL hijacking of legitimate Microsoft executables. 
  • A detailed account of how attackers are rebuilding the command and control infrastructure, and information about the domain generation algorithm in the new samples.  
  • New functionality to replace hosts file – attackers can redirect any website to their own or restrict access to some domains altogether. 
  • New payload used to generate ad revenue by visiting arbitrary URLs. 
  • New script injected in visited pages for displaying ads and redirecting web searches. 
  • Facebook data stealing payload still widely used. 
  • A fake application developed by the attackers to disseminate the Scranos malware to new users. 
  • Trojan pushed by Scranos capable of distributed denial of service (DDoS) attacks and disabling the Windows security services. 
  • Trojan pushed by Scranos which turns the device into a cryptocurrency miner.

Want to learn more? Download the full paper below:

Inside Scranos – A Cross Platform, Rootkit-Enabled Spyware Operation

About the author

Avatar

Bogdan BOTEZATU

Bogdan Botezatu is living his second childhood at Bitdefender as senior e-threat analyst. When he is not documenting sophisticated strains of malware or writing removal tools, he teaches extreme sports such as surfing the web without protection or rodeo with wild Trojan horses. He believes that most things in life can be beat with strong heuristics and that antimalware research is like working for a secret agency: you need to stay focused at all times, but you get all the glory when you catch the bad guys.

About the author

Andrei ARDELEAN

Andrei ARDELEAN

Security Researcher

Andrei Ardelean has been doing security research at Bitdefender since his second year in university. He is passionate about computer science and engineering and believes the best way to keep you on your computer science toes is doing research in security. He likes hidden details and thinks that having his beliefs and ideas challenged is a great way to get a different perspective on a subject. When he isn't fiddling around with a computer, he likes playing sports and learning something new.

About the author

Cristofor OCHINCA

Cristofor OCHINCA

Security Researcher, Cyber Threat Intelligence Lab

At 12 he fell in love with C. At 17 he fell in love with Assembly and the art of pen-testing. At 23 he fell in love with AI and its applications in cyber security. Staying up to date with the latest innovations not only in the topics mentioned, but in tech in general is a passion rooted deep in his core mentality. Loves nature and meditation.

About the author

Avatar

Cristian Alexandru ISTRATE

Team Lead, Cyber Threat Intelligence Lab

About the author

Avatar

Claudiu Stefan COBLIS

Security Researcher