Scranos Revisited – Rethinking persistence to keep established network alive

In April, Bitdefender broke the
news of an emerging botnet dubbed Scranos. Originating from China, it has
spread across Europe and the United States, snaring Windows and Android devices
with advertising fraud and social network manipulation.

Our original report shone a spotlight on Scranos operators and exposed their illicit use of Authenticode certificates, and other actions. After Bitdefender reached out to Digicert to report the certificate used to sign the rootkit driver for malicious use, the Scranos operators lost their main mechanism to ensure persistence and disguise. When the the Scranos report was published, attackers saw their command and control infrastructure get flagged for malicious activity and shut down.

We kept an eye on the developments in the weeks after the
publication and documented how the operators tried to rebuild the botnet and
restore functionality. This led us to identify new components used to generate
ad revenue in the background by visiting arbitrary URLs with Google Chrome
and to disguise these ads as notifications, generating additional ad revenue at
the user’s expense. 

This report, which updates our original research, includes:

• An overview of how the cybercrime group compensates for the loss of the
  stolen digital signing certificate by using another persistence method
  based on DLL hijacking of legitimate Microsoft executables. 

• A detailed account of how attackers are rebuilding the command and
  control infrastructure, and information about the domain generation algorithm
  in the new samples.  

• New functionality to replace hosts file – attackers can redirect any website to their own or
  restrict access to some domains altogether. 

• New payload used to generate ad revenue by visiting arbitrary URLs. 

• New script injected in visited pages for displaying ads
  and redirecting web searches. 

• Facebook data stealing payload still widely used. 

• A fake application developed by the attackers to disseminate
  the Scranos malware to new users. 

• Trojan pushed by Scranos capable of distributed denial of service (DDoS) attacks and
  disabling the Windows security services. 

• Trojan pushed by Scranos which turns the device into a cryptocurrency miner.

Want to learn more? Download the full paper below: