Posted on April 16, 2019 at 1:24 PM
Scranos: New, Sophisticated Malware Steals Passwords and Hijacks Browsers
Information security researchers have uncovered a new rootkit malware going by the name of Scranos. The infosec community calls it an unusual program that is completely commercial. It increases Youtube ad revenue and subscribers.
Scranos uses a rootkit method
when Scranos infects a computer, it gives the malicious software rootkit capabilities. Burying itself deep inside Windows, it will persist even after the user restarts their computer. The malware has only really emerged recently, going back to November 2018. Bitdefender released research on Tuesday that gave details on what the malware is capable of and what the originators intended to use it for. They say that the malware identifications have skyrocketed since it was discovered.
Bogan Batezu, Director of Threats and Reseach at Bitdefender, says that the malware is strictly a commercial venture on the part of a group of as-yet-unknown hackers. In his opinion, the hackers only seem to want a botnet that will spread as quickly and as deeply as possible to consolidate their business. This business is to control trending topics and gain money from ad revenue via social media. They also use it as a base to further distribute third-party malware.
Where was Scranos found?
Scranos used a popular Trojan Horse method of infecting computers. It posed as a legitimate ebook or video player software while instead installing rootkit capabilities and the rest of its payload. The downloads used fraudulently generated certificates so that Windows did not know it was not a legitimate download.
Once Scranos has gained rootkit capabilities, it phones home and downloads additional component. It will then go on to do whatever the group controlling the botnet wants it to do. This has so far mainly been to discreetly visit certain Youtube videos, subscribe and click on the ads. It does this by opening Chrome in debugging mode, followed by hiding the browser from the desktop and taskbar so that the user doesn’t notice.
The browser then opens a Youtube video, mutes it and subscribes to whatever channel the command and control server specifies. The Bitdefender researchers found that the malware has aggressively promoted four videos on different channels. This is basically using the victims’ computers as a click farm that generates video ad revenue.
The accounts that they are promoting are most likely form people who have paid to become more popular on Youtube, and people who are looking to become highly popular influencers. This is shown by additional components that are downloaded depending on the need of the botnet owner.
It can abuse the fact that the user is logged in to Facebook to send phishing messages to friends. The malware is also able to siphon off session cookies that it then sends to an Android adware app via Messenger. In addition to this, it also attempts to gain access to Instagram, showing that influencers who want a shortcut to success are the most likely audience for groups like these.
Other components include stealing data from Steam accounts, injecting adware into Internet Explorer, running Chrome extension not from the store and collecting data on the browsing history f the victim.
Batezu says that this threat is highly sophisticated and whoever created it must have taken a long time to set things in motion. He believes that there are thousands of devices already part of the botnet, if not more. He goes on to say that rootkit level malware is not very common in modern programs, so that shows a level of dedication that is not generally seen in the malicious hacking field.
Industry experts are worried about what could happen if this malware finds its way out into more devices and how that would impact the social media landscape at large. There is already a movement by larger companies to enforce draconian punishments for mistakes on their platforms, and this new outbreak could lead to even more actions being taken despite the users not having any knowledge of the actions of the malware.
