discovered wherein hackers are distributing multifunctional malware
disguised as cracked software or trojanized app posing as
legitimate software like video players, drivers and even anti-virus
products.
While the rootkit malware—dubbed Scranos—which was first
discovered late last year, still appears to be a work in progress,
it is continuously evolving, testing new components and regularly
making an improvement to old components, which makes it a
significant threat.
Scranos features a modular design that has already gained
capabilities to steal login credentials and payment accounts from
various popular services, exfiltrate browsing history and cookies,
get YouTube subscribers, display ads, as well as download and
execute any payload.
According to an 48 page in-depth report Bitdefender shared with The Hacker
News prior to its release, the malware gains persistence on
infected machines by installing a digitally-signed rootkit driver.
Researchers believe attackers obtained the valid digital
code-signing certificate fraudulently, which was originally issued
to Yun Yu Health Management Consulting (Shanghai) Co., Ltd. and has
not been revoked at the time of writing.
“The rootkit registers a Shutdown callback to achieve persistence.
At shutdown, the driver is written to disk, and a start-up service
key is created in the Registry,” the researchers say.
legitimate process which then communicates with the
attacker-controlled Command-and-Control (C&C) server and
downloads one or more payloads.
Here we have listed a few data and password-stealing
payloads:
Password and Browsing History Stealing Payload — The main
dropper steals browser cookies and login credentials from Google
Chrome, Chromium, Mozilla Firefox, Opera, Microsoft Edge, Internet
Explorer, Baidu Browser and Yandex. It can also steal cookies and
login info from victims’ accounts on Facebook, YouTube, Amazon, and
Airbnb.
Extension Installer Payload — This payload installs
adware extensions in Chrome and injects malicious or malware-laden
ads on all webpages users visit. A few samples also found
installing fake browser extensions, such as Chrome Filter,
Fierce-tips and PDF Maker.
Steam Data Stealer Payload — This component steals and
sends victims’ Steam account credentials and information, including
the list of installed apps and games, as well as hardcoded version,
to the attacker’s server.
Some other payloads can even interact with various websites on the
victim’s behalf, such as:
YouTube subscriber payload — This payload manipulates
YouTube pages by running Chrome in debugging mode, instructing the
browser to take various actions on a webpage like starting a video,
muting a video, subscribing to a channel, and clicking ads.
other tokens, attackers can command malware to send Facebook friend
requests to other users. It can also send private messages to the
victim’s Facebook friends with links to malicious Android APKs.
Android Adware App — Disguised as the legitimate
“Accurate scanning of QR code” app available on Google Play Store,
the malware app aggressively displays ads, tracks infected victims
and uses same C&C server as the Windows malware.
Here’s the list of DLLs contained in the main dropper:
Facebook DLL — This DLL extracts information about the
user Facebook accounts including their payment accounts, their list
of friends, and if they are an administrator of a page.
Amazon DLL — This DLL extracts information from the user’s
Amazon account. Researchers even found a version of this DLL that
has been designed to extract information from logged-in Airbnb
accounts.
According to the telemetry gathered by Bitdefender researchers,
Scranos is targeting users worldwide, but “it seems more prevalent
in India, Romania, Brazil, France, Italy, and Indonesia.”
The oldest sample of this malware traced back to November 2018,
with a massive spike in December and January, but in March 2019,
Scranos was started pushing other strains of malware, which
researchers say is “a clear indicator that the network is now
affiliated with third parties in pay-per install schemes.”
Read more http://feedproxy.google.com/~r/TheHackersNews/~3/Hcpo58lIOf8/scranos-rootkit-spyware.html