A new powerful rootkit-enabled spyware operation has been discovered wherein hackers are distributing multifunctional malware disguised as cracked software or trojanised app posing as legitimate software like video players, drivers and even anti-virus products.
While the rootkit malware—dubbed Scranos—which was first discovered late last year, still appears to be a work in progress, it is continuously evolving, testing new components and regularly making an improvement to old components, which makes it a significant threat.
Scranos features a modular design that has already gained capabilities to steal login credentials and payment accounts from various popular services, exfiltrate browsing history and cookies, get YouTube subscribers, display ads, as well as download and execute any payload.
According to a 48 page in-depth report Bitdefender shared with The Hacker News prior to its release, the malware gains persistence on infected machines by installing a digitally-signed rootkit driver.
Researchers believe attackers obtained the valid digital code-signing certificate fraudulently, which was originally issued to Yun Yu Health Management Consulting (Shanghai) Co., Ltd. and has not been revoked at the time of writing.
“The rootkit registers a Shutdown callback to achieve persistence. At shutdown, the driver is written to disk, and a start-up service key is created in the Registry,” the researchers say.
Upon infection, the rootkit malware injects a downloader into a legitimate process which then communicates with the attacker-controlled Command-and-Control (C&C) server and downloads one or more payloads.
images from Hacker News