skip to Main Content

Scranos rootkit spyware operation is infecting victims worldwide

Scranos Rootkit Spyware Operation Is Infecting Victims Worldwide

Bitdefender: Scranos, a cross platform, rootkit enabled spyware operation, is infecting victims worldwide. It disguises as cracked software or trojanized app, posing as legitimate software like video players, drivers and even anti-virus products

It’s dubbed Scranos and is a cross platform, rootkit enabled spyware operation. In has been discovered by Bitdefender cyber security researchers. The cybercrime hackers are distributing multifunctional malware, disguised as cracked software or trojanized app, posing as legitimate software like video players, drivers and even anti-virus products. It does worldwide, but especially against targets in India, Romania, Brazil, France, Italy, and Indonesia. Scranos features a modular design that has already gained capabilities to steal login credentials and payment accounts from various popular services, exfiltrate browsing history and cookies, get YouTube subscribers, display ads, as well as download and execute any payload. The malware gains persistence on infected machines by installing a digitally-signed rootkit driver. “The rootkit registers a Shutdown callback to achieve persistence. At shutdown, the driver is written to disk, and a start-up service key is created in the Registry,” the researchers explained in a report. 

The cyber security experts: cybercrime can steal login credentials and payment accounts from various popular services, exfiltrate browsing history and cookies, get YouTube subscribers, display ads, as well as download and execute any payload

According to the cyber security experts, upon infection, Scranos injects a downloader into a legitimate process which then communicates with the attacker-controlled C2 server and downloads one or more payloads. They are Password and Browsing History Stealing Payload, Extension Installer Payload, and Steam Data Stealer Payload. Moreover, Some other payloads can even interact with various websites on the victim’s behalf, such as YouTube subscriber, Facebook Spammer, and Android Adware App. Finally, the cybercrime malware steals payment information from popular websites, especially facebook and Amazon. Bitdefender revealed that the oldest sample of this malware traced back to November 2018, with a massive spike in December and January, but in March 2019, Scranos was started pushing other strains. It’s a clear indicator that the network is now affiliated with third parties in pay-per install schemes.

Back To Top