A new password and data stealing operation that has been targeting China has started to infect users worldwide, according to Bitdefender Cyber Threat Intelligence Lab.
Using a rootkit driver, which is believed to have been a possibly stolen certificate, the attack is still a work in progress with many components in the early stage of development, say the researchers behind the company's latest report, Inside Scranos – A Cross Platform, Rootkit-Enabled Spyware Operation.
"We discovered that the operators of this rootkit-enabled spyware are continuously testing new components on already-infected users and regularly making minor improvement to old components," according to the report. "The various components can serve different purposes or take different approaches to achieve their goals."
Some of these components identified include:
- Extract cookies and steal login credentials from Google Chrome, Chromium, Mozilla Firefox, Opera, Microsoft Edge, Internet Explorer, Baidu Browser and Yandex Browser
- Steal a user’s payment accounts from Facebook, Amazon and Airbnb webpages
- Send friend requests to other accounts, from the user’s Facebook account
- Send phishing messages to the victim’s Facebook friends containing malicious APKs used to infect Android users as well
- Steal login credentials for the user’s account on Steam
Bitdefender's research reveals that the malware spreads via Trojanized applications "disguised as cracked software, or applications posing as legitimate software such as e-book readers, video players, drivers or even antimalware products." When executed, the rootkit driver is installed to cloak the malware and ensure persistence. The malware then phones home and is told what other components to download and install.
"Our telemetry shows the adware has a global presence, but it seems more prevalent in India, Romania, Brazil, France, Italy and Indonesia," continues the report. "All identified samples confirm that this operation is in a consolidation stage: the oldest samples identified date back to November 2018, with a massive spike in December and January. However, in March 2019, the command and control servers started pushing other strains of malware – a clear indicator that the network is now affiliated with third parties in pay-per-install schemes."
The rootkit driver, at the time the report was written, contains a valid digital signature with a certificate issued to Yun Yu Health Management Consulting (Shanghai) Co., Ltd.
"The most likely scenario is that an impersonator obtained this certificate fraudulently, even if the company is not a software vendor," the report deduces.
The rootkit sets up and creates a device named \Device\VideoDriver and serves three main purposes, according to the report:
- Decrypts and injects the downloader in a svchost.exe process with system authority
- Deletes a specified file using low-level file system operations
- Registers an IRP_MJ_SHUTDOWN function which is used to ensure the persistence of this rootkit in the infected system by rewriting itself on disk and in the registry at every shutdown, in case it was deleted