After attacking China, Scranos malware began to spread to the world

Bitdefender CyberThreat Intelligence Lab said that Scranos malware, which is mainly active in China, has begun to affect users around the world. According to the company’s latest report, the most important piece of this malware is a rootkit driver that’s hidden inside the tainted apps. Researchers have found that the operators behind malware constantly test components and improve them on a regular basis, with different components being used for different purposes.

Image: Bitdefender

The malware has been found to do the following:

• Extract cookies and steal login credentials from Google Chrome, Chromium, Mozilla Firefox, Opera, Microsoft Edge, Internet Explorer, Baidu Browser and Yandex Browser.
• Steal a user’s payment accounts from his Facebook, Amazon and Airbnb webpages.
• Send friend requests to other accounts, from the user’s Facebook account.
• Send phishing messages to the victim’s Facebook friends containing malicious APKs used to infect Androidusers as well.
• Steal login credentials for the user’s account on Steam.
• Inject JavaScript adware in Internet Explorer.
• Install Chrome/Opera extensions to inject JavaScript adware on these browsers as well.
• Exfiltrate browsing history.
• Silently display ads or muted YouTube videos to users via Chrome. We found some droppers that can install Chrome if it is not already on the victim’s computer.
• Subscribe users to YouTube video channels.
• Download and execute any payload.

Bitdefender’s research shows that malware is spread through Trojans, disguised as cracking software or legitimate software applications, such as e-book readers, video players, drivers, and even anti-malware products. Malware is hidden in the device for a long time by the rootkit driver to continue downloading and installing other components.

The report shows that the software is currently showing signs of activity around the world and is more active in India, Romania, Brazil, France, Italy, and Indonesia. Based on the sample, the researchers speculated that the malware started its activities as early as November 2018 and was more frequent in December and January. In March 2019, the command and control server began pushing other types of malware.