New cross platform rootkit: Scranos

Scranos is a new player to the global malware scene that leverages many well-known and some new methods to obtain login credentials and bank information. It can also steal or manipulate information from several online accounts to access your Amazon, Airbnb, Facebook, Steam, and YouTube accounts.

How it works

Scranos is installed through various methods, including:

  • cracked software
  • pirated videos and movies
  • legal alternative software such as e-book readers, video players, driver updaters, and fake antimalware products

When installed, Scranos installs a rootkit driver that ensures it remains on the computer unless removed by a legitimate antivirus program.

Once Scranos has gained persistence, it injects another running process with a downloader so that it can download other functionally. When it’s done, Scranos removes All downloaded contentfrom the computer to make it easier to keep itself hidden.

Among the functionality that Scranos downloads is a YouTube module.  This module launches Chrome (and installs it if it’s not already installed), goes to YouTube, mutes it, and subscribes to channels that the attackers use to earn money. Other methods Scranos uses to gain information include:

  • stealing information from various online platforms
  • modules that inject various false advertisement
  • bitcoin miners

In addition, Scranos has capabilities to infect other operating system such as Linux, IOS, and Android. These targets can be installed through phishing attempts from infected users’ Facebook messages.

Who is affected?

Scranos, due to its infection methods, can affect anyone, even those who do not download illegal software. While Scranos has been active in a testing form in several regions, it has been noticed on a global scale in recent months, indicating that testing may be done, or that they are testing on a larger scale. Either way, Scranos seems to just be getting started, and everyone is at risk.

Indicators of compromise

  1. YouTube or Facebook accounts showing activity during times it was not used
  2. %WINDIR%\System32\<random looking names>
  3. wcrx.exe
  4. Chrome extensions that the user didn’t install
  5. Y2B.EXE
  6. HKCU\Software\@demo
  7. HKLM\Software\Microsoft\@msver1
  8. HKLM\Software\Microsoft\@msver2
  9. HKLM\Software\Microsoft\@o2
  10. HKLM\Software\Microsoft\@o3

What you can do


If you or someone you know is infected with Scranos malware, download SUPERAntiSpyware Professional right now and get a 14-day free trial, no credit card required. SUPERAntiSpyware is easy to install and will detect and remove Scranos from any Windows computer. If you are a Computer Technician, you may like to try our SUPERAntiSpyware Tech Edition solution, now free for the next 30 days. Use Tech04 as the Tech ID.  Click here: https://www.superantispyware.com/technician-download.html

Comments

Thanks for a real advice, it is very useful!
SUPERAntiSpyware is an excellent thing to fight Scranos, I have just downloaded it.

Comments are closed.