New cross platform rootkit: Scranos

Scranos is a new player to the global malware scene that leverages many well-known and some new methods to obtain login credentials and bank information. It can also steal or manipulate information from several online accounts to access your Amazon, Airbnb, Facebook, Steam, and YouTube accounts.

How it works

Scranos is installed through various methods, including:

  • cracked software
  • pirated videos and movies
  • legal alternative software such as e-book readers, video players, driver updaters, and fake antimalware products

When installed, Scranos installs a rootkit driver that ensures it remains on the computer unless removed by a legitimate antivirus program.

Once Scranos has gained persistence, it injects another running process with a downloader so that it can download other functionally. When it’s done, Scranos removes All downloaded contentfrom the computer to make it easier to keep itself hidden.

Among the functionality that Scranos downloads is a YouTube module.  This module launches Chrome (and installs it if it’s not already installed), goes to YouTube, mutes it, and subscribes to channels that the attackers use to earn money. Other methods Scranos uses to gain information include:

  • stealing information from various online platforms
  • modules that inject various false advertisement
  • bitcoin miners

In addition, Scranos has capabilities to infect other operating system such as Linux, IOS, and Android. These targets can be installed through phishing attempts from infected users’ Facebook messages.

Who is affected?

Scranos, due to its infection methods, can affect anyone, even those who do not download illegal software. While Scranos has been active in a testing form in several regions, it has been noticed on a global scale in recent months, indicating that testing may be done, or that they are testing on a larger scale. Either way, Scranos seems to just be getting started, and everyone is at risk.

Indicators of compromise

  1. YouTube or Facebook accounts showing activity during times it was not used
  2. %WINDIR%\System32\<random looking names>
  3. wcrx.exe
  4. Chrome extensions that the user didn’t install
  5. Y2B.EXE
  6. HKCU\Software\@demo
  7. HKLM\Software\Microsoft\@msver1
  8. HKLM\Software\Microsoft\@msver2
  9. HKLM\Software\Microsoft\@o2
  10. HKLM\Software\Microsoft\@o3

What you can do

If you or someone you know is infected with Scranos malware, download SUPERAntiSpyware Professional right now and get a 14-day free trial, no credit card required. SUPERAntiSpyware is easy to install and will detect and remove Scranos from any Windows computer. If you are a Computer Technician, you may like to try our SUPERAntiSpyware Tech Edition solution, now free for the next 30 days. Use Tech04 as the Tech ID.  Click here:

WinRAR Vulnerability

File compression has been an indispensable tool for computer users ever since it was first developed in the late 1980’s. Back then space on relatively small hard drives was at a premium, and compacting files that weren’t currently being used was a great way to free up a few valuable megabytes. These archived files also transferred faster over the slow, newborn internet.

Today there are many varieties of file compression: Zip, Gzip, RAR, 7z to name a few. WinRAR is a utility that allows you to compress/decompress most of the more common compressed file types, and many less-used types.

One of these lesser-used file types is called ACE. Recently a vulnerability has been found in WinRAR that can allow a malicious ACE archive to drop malware onto your system. This flaw has been present in WinRAR for 19 years but was just noticed earlier this year.

They have since patched their software with the release of version 5.70, but unfortunately WinRAR does not automatically check for updates. This means that there are millions of users out there with older versions of the software on their machine just waiting to be attacked.

Social engineering tactics have been used with these malicious archives, with adult photos or mp3s displayed inside them to entice the user to open the compressed file thereby infecting their system. Backdoors seem to be a common payload distributed by this process.

SUPERAntiSpyware can help protect you from many of the malware variants that have been distributed through this method. Along with keeping SUPERAntiSpyware’s definition database up-to-date, we recommend updating WinRAR to version 5.70 just to be safe.