Scranos Rootkit Spyware

Scranos is a recently observed rootkit-enabled spyware trojan. It is still in development and its creators are regularly adding new components as well as improving existing functionality.

Bitdefender found the malware spreading through trojanized downloads that masquerade as real apps, like video players and e-book readers.

Scranos is delivered via cracked software downloads and illegitimate applications such as video players, drivers and anti-virus products. When opened, these applications install a signed rootkit driver, which is then used to maintain persistence and install further Scranos components.

Once installed, Scranos injects a downloader into a legitimate process which then communicates with a command and control server. It can then download various modules, providing it with a wide range of capabilities, including :-

  • Extract cookies and steal login credentials from Google Chrome, Chromium, Mozilla Firefox, Opera, Microsoft Edge, Internet Explorer, Baidu Browser and Yandex Browser.
  • Steal a user’s payment accounts from his Facebook, Amazon and Airbnb webpages.
  • Send friend requests to other accounts, from the user’s Facebook account.
  • Send phishing messages to the victim’s Facebook friends containing malicious APKs used to infect Android users as well.
  • Steal login credentials for the user’s account on Steam.
  • Inject JavaScript adware in Internet Explorer.
  • Install Chrome/Opera extensions to inject JavaScript adware on these browsers as well.
  • Exfiltrate browsing history.
  • Silently display ads or muted YouTube videos to users via Chrome. We found some droppers that can install Chrome if it is not already on the victim’s computer.
  • Subscribe users to YouTube video channels.
  • Download and execute any payload.

Further details and a full report can be found here.

Image via Bitdefender

Indicators Of Compromise

Domains
• a12[.]fun
• b12[.]fun
• ab12[.]fun
• ossdown[.]fun
• d3pk[.]com
• fffffk[.]xyz
• downmsdn[.]com
• B453A3C474BE9C1BB54E927E99CA7CFA[.]online
• A4E43EDE382B7613F03D2997C80E2DA9[.]online
• 9D3C13FAF748710EBB5A8E1232B43CA7[.]online
• 80FD4C6BAC35BAB54608B2F60A9A1759[.]online
• D43AC96995C02E4A7CCECE3059730B95[.]online
• EC33503163B5789F6786C0D82B479364[.]online
• hh1m[.]com

IPs
• 178.162.132.79
• 114.114.114.114 (114dns Chinese public DNS)
• 104.24.97.162 (Cloudflare)

URLs
• https://www.fffffk[.]xyz/chrome/index.php
• https://s3.amazonaws[.]com/jscriptcdn/1f546f49ebf4153c8a.js
• http://info.d3pk[.]com
• http://info.d3pk[.]com/cams/
• http://info.d3pk[.]com/history/
• http://dl.ossdown[.]fun/wcrx.dat
• http://178[.]162[.]132[.]79/1.php
• http://a12[.]fun/json/json.php
• http://ab12[.]fun/info/info.php
• http://info[.]d3pk[.]com/history/index.php
• http://ab12[.]fun/chrome/
• http://ab12[.]fun/tool/
• http://fffffk[.]xyz/down/m_inc.js
• http://80FD4C6BAC35BAB54608B2F60A9A1759[.]online/sta.php
• http://A4E43EDE382B7613F03D2997C80E2DA9[.]online/sta.php
• http://9D3C13FAF748710EBB5A8E1232B43CA7[.]online/sta.php
• http://80FD4C6BAC35BAB54608B2F60A9A1759[.]online/sta.php
• http://D43AC96995C02E4A7CCECE3059730B95[.]online/sta.php
• http://EC33503163B5789F6786C0D82B479364[.]online/sta.php
• http://count.b12[.]fun/jump.php
• https://1898799673.rsc.cdn77[.]org/down/EdgeCookiesView.exe
• https://1898799673.rsc.cdn77[.]org/down/sqlite3.dll
• http://178[.]162[.]132[.]79/t.php?info=
• http://www.hh1m[.]com/fb/friend/index.php
• http://www.hh1m[.]com/fb/apk/index.php
• http://www.hh1m[.]com/fb/apk/count.php
• http://hh1m[.]com/count/app/index.php

Jason Davies

UK based technology professional, with an interest in computer security and telecoms.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this:

Notice: ob_end_flush(): failed to send buffer of zlib output compression (0) in /home/systemte/public_html/wp-includes/functions.php on line 4339