Scranos Malware Crosses China Boundaries

Delaware, USA – April 16, 2019 – In these recent times, cybercriminals having developed and tested malware in China are expanding their list of targets to the nearest countries, or even to the whole world. Bitdefender Labs’ experts published the analysis of the Scranos malware, which appeared at the end of last year and is still in development, but already poses a serious threat. This malware is a rootkit that downloads and executes the necessary modules and is capable of using malicious DLLs and stealing credentials from popular browsers. Scranos spreads under the guise of cracked or free software signed by a stolen digital certificate, which is still valid, and attacks Windows and Android systems. Most of the infected machines are running Windows 10. Downloadable modules are small, and after completing the task, the malware deletes them making it harder for researchers to analyze the threat and evading anti-virus solutions’ attention. At the moment, Scranos modules steal a victim’s payment accounts from Facebook, Amazon and Airbnb webpages, as well as Steam accounts, send malicious files with phishing messages to victim’s friends on Facebook, Install malicious browser extensions and steal browsing history. Most of the experts were surprised by the module that screws subscribers and the views on Youtube channels using the Chrome browser, as in China where the malware is most widespread access to Youtube is restricted. If Chrome is not installed on the attacked system, the module downloads it and installs it.

The most dangerous for corporate users is the rootkit itself, which can download any newly developed module from the C&C server. Malware authors are skillful, so at the time of the publication of the analysis, Scranos was undetectable by most of the popular antivirus solutions. A large number of infections with this malware is recorded in India, Brazil and several European countries. For the timely detection of suspicious events on Windows systems that need to be investigated, you can use the Windows Security Monitor rule pack available in Threat Detection Marketplace: https://my.socprime.com/en/integrations/windows-security-monitor-hpe-arcsight