X
Tech

This data-stealing malware has returned with new attacks and nasty upgraded features

Large parts of the Scranos operation were taken out in April - but it's already back and the criminals behind it seem more determined than ever, adding a trojan and a cryptojacker to their adware scheme.
Written by Danny Palmer, Senior Writer

The group behind a malware campaign targeting both Windows and Android devices in an adware operation across both Europe and the US have altered its attack techniques and added new payloads including a cryptominer and a Trojan in an apparent bid to make more money from infected devices.

Details of the multi-functional Scranos malware first emerged in April but shortly afterwards, the operators lost their main mechanism of persistence and disguise when their illicit use of Authenticode certificates was revoked.

But that hasn't stopped the cyber criminal campaign, because in the space of just a few weeks, Scranos has already updated its attack methods in an attempt to rebuild their botnet.

The new techniques employed by Scranos have been detailed by cyber security researchers at Bitdefender – who were also responsible for uncovering the malware campaign earlier this year. It's believed that the campaign has originated from China – but its effects are felt around the globe.

"The rapid mobilization of its operators to contain the damage and maintain control of the already infected machines reveals that they were not ready to give up yet," Bogdan Botezatu, Director of Threat Research and Reporting at Bitdefender told ZDNet.

"They came with a novel approach at concealing their malware behind Microsoft executables and they also started spreading new payloads to keep funding going".

The new version of Scranos comes with an updated infection technique based around a fake application called CClear. It's based on the legitimate and widely used system optimisation application CCLeaner and is advertised as carrying out similar functionalities. 

The malware dropper is delivered using a combination of malvertising and being bundled within other software packages.

Once downloaded and installed the dropper contacts the command and control server and replaces one of the hosts files with a new download, as well as attempting to steal cookies, login credentials, Facebook information and payment accounts. The dropper will also download and install Chrome and Firefox if they're not on the system as it needs to use plug-ins within these to operate.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)  

From here, a legitimate Microsoft executable is placed in the same folder as a malicious DLL to ensure the malware is persistent and remains active after a system reboot. At the same time of this, the fake CClear application is installed and even has a desktop shortcut to stop any suspicion from the user that they've been scammed. It even has a functioning user interface – although in reality when run, it does nothing.

Finally, the actual downloader is installed using a newly created rundll32.exe process, allowing Scranos to download and execute additional payloads.

By using legitimate Windows executables in the installation process, Scranos leaves few traces of its activity behind, even blending in with standard network traffic and therefore reduce the risk of being discovered before it has generated revenue for the attackers.

The key goal of Scranos is to generate traffic to URLs as directed by the command and control servers. These URLs contain various adverts, videos and other revenue generating links which are run using a hidden instance of Google Chrome. Each URL is opened in a new tab with each driving revenue for the attackers. This is done behind the scenes, without the knowledge of the user.

But the campaign isn't just about ad fraud, with the operators behind Scranos adding several new payloads to the latest iteration of the malware – including the Yoddos trojan.

Yoddos isn't a new trojan, having existed in the wild since 2012, but it provides a backdoor into infected machines in addition to being able to employ the systems to conduct DDoS attacks.

Researchers believe that Yoddos is being deployed to deliver other kinds of malware – and that it forms part of another part of the moneymaking scheme, with the operators of Scranos renting out their network for other criminals to drop new payloads.

SEE: 10 tips for new cybersecurity pros (free PDF)

"Most likely, the reason for pushing a Trojan that is five years old goes hand in hand with the secondary business model of the gang. When they gained a significant foothold on victim machines, the Scranos team started renting access to the infrastructure so that cyber criminals could deliver additional payloads to victim," said Botezatu.

Scranos also comes equipped with a cryptocurrency miner which secretly uses the processing power of infected machines to generate Monero for the attackers – providing them with yet another stream of revenue.

And if that wasn't enough, the reason why Scranos steals login information for different kinds of accounts, such as Facebook, Amazon, Airbnb and more during its installation process is so that the attackers can also make money from this by selling it onto other criminals.

"They are probably being either re-sold on dark markets or are paving the way to a business opportunity that is currently on the road-map," said Botezatu.

The exact size of the Scranos botnet isn't known, but it's thought to be large with infections detected around the world, with the US, Brazil and India accounting for some of the highest levels of detection.

While Scranos has become prolific, it's also quite easy to avoid. With the main method of installation being via encouraging downloads, users could go a long way to avoiding the malware by being careful what they install – and by only downloading applications from trusted websites.

"Pirated software is not only the root cause of Scranos, it has also become an important delivery mechanism for ransomware. If in doubt, do not install applications from third party websites – rather head to the vendor's page and get a copy of the software," said Botezatu.

"Most importantly, if the security solution detects something in the piece of software that you are about to install and blocks it, do not attempt to pause protection and retry the installation," he added.

A full list of Indicators of Compromise has been detailed in the full Bitdefender analysis of Scranos which is set to be published soon.

READ MORE ON CYBER CRIME

Editorial standards