How to prevent rootkit-enabled malware Scranos from harming your organization

The Scranos rootkit malware can do significant damage by stealing passwords and data through a fradulent certificate. But it can be removed, according to security firm Bitdefender.

How the malware landscape is evolving

Rookit malware is one of the most challenging and persistent threats faced by organizations and individuals. One recent threat dubbed Scranos is on the radar of security experts as it has expanded across the globe, according to a Tuesday report from Bitdefender.

First analyzed by Bitdefender late last year, Scranos uses a rootkit driver signed with a possibly stolen certificate to steal passwords and data. Until recently, Scranos restricted its scope to mostly Chinese territory, but it has recently started traveling around the world. At this point, its focus seems predominant in certain countries, including India, Romania, Brazil, France, Italy and Indonesia, according to the report.

SEE: 10 ways to minimize fileless malware infections (free PDF) (TechRepublic)

Scranos cloaks itself as cracked software or apps that pose as legitimate programs, such as ebook readers, video players, drivers, and even security products. Upon execution, a rootkit driver is installed to hide the malware. Scranos then contacts the command and control centers to trigger the download of other components. The malware has been detected on all versions of Windows, including 10, 8.1, 8, 7, Vista, and XP with the largest numbers found in Windows 10 and 7.

The Scranos samples collected by Bitdefender date back to November 2018, with a surge in December 2018 and January 2019. But in March, the C&C centers began deploying other strains of malware, indicating that the network is now working with third parties for pay-per install schemes.

"Despite the sophistication, this attack looks like a work in progress, with many components in the early stage of development," Bitdefender said in its report. "Although the campaign has not reached the magnitude of the Zacinlo adware campaign, it is already infecting users worldwide."

Scranos can perform a range of malicious tasks, including the following, the report noted:

  • Extract cookies and steal login credentials from Google Chrome, Mozilla Firefox, Opera, Microsoft Edge, Internet Explorer, and other browsers
  • Steal a user's payment accounts from Facebook, Amazon, and Airbnb
  • Send friend requests to other accounts from the user's Facebook account
  • Send phishing messages to the users' Facebook friends with malicious APKs to infect Android devices
  • Steal login credentials for the user's Steam account
  • Inject JavaScript adware in Internet Explorer
  • Install extensions for Chrome and Opera to inject JavaScript adware
  • Capture the user's browsing history
  • Silently display ads or muted YouTube videos to Chrome users, or even install Chrome if it's not already installed
  • Subscribe users to YouTube video channels
  • Download and execute any payload

The digital signature of the rootkit driver shows Yun Yu Health Management Consulting (Shanghai) Co. as the issuer. Bitdefender said that it told the Certificate Authority that this certificate was either compromised or misused. But at this point, the certificate has not been revoked.

How to detect and remove rootkit threats

Rootkit threats are invasive and persistent, so they typically require special steps to detect and remove them. Scranos can be removed, but the process is intricate. Below are the steps from Bitdefender for eliminating Scranos on a Windows computer:

  1. Close your browser or browsers.
  2. Kill all processes running from the temporary path. Remove any files detected as malicious.
  3. Kill the rundll32.exe process.
  4. Generate the rootkit file name as follows:
    - Get current user's SID.
    - Compute MD5 of the string resulted from a).
    - Get the first 12 characters from b)
  5. Run a cmd or PowerShell window with Administrator rights and type:
    >sc stop <string resulted from step 4
    >sc delete <string resulted from step 4
  6. Go to %WINDIR%\System32\drivers and check for a file called <string resulted from step 4>.sys and delete that file.
  7. Remove the DNS driver (below, MOIYZBWQSO should be replaced with your particular driver name):
    - Check if the DNS driver is installed: in %TEMP% should be a file with 10 random uppercase letters (ex: MOIYZBWQSO. sys). In the Registry there should also be a key corresponding to the name (ex: HKEY_LOCAL_MACHINE\SYSTEM\ CurrentControlSet\Services\MOIYZBWQSO)
    - Run a cmd or PowerShell window with Administrator rights and type:
    sc stop MOIYZBWQSO
    sc delete MOIYZBWQSO
    - Delete the file %TEMP%\MOIYZBWQSO.sys
  8. Reboot your PC to remove the injected code from the svchost.exe process.
  9. Remove any suspicious extension from your browsers.
  10. Change all your passwords.

For more, check out How to check your Linux servers for rootkits and malware on TechRepublic.

Also see

Image: iStockphoto/Alexander Yakimov Nickolaevich