ngCERT Advisory on Scranos Malware

Risk:
high
Damage:
high
Platform(s):
Microsoft® Windows XP Microsoft® Windows Vista Microsoft® Windows 7 Microsoft® Windows 8 Microsoft® Windows 8.1 Microsoft® Windows 10
Advisory ID:
ngCERT 2018 -0007
Version:
1.00
CVE:
CVE-2019-15958
Published:
January 17, 2020

Summary


Scranos is a Trojan horse that steals information from the compromised computer. It may also download potentially malicious files. Scranos cloaks itself as cracked software or apps that pose as legitimate programs, such as ebook readers, video players, drivers, and even security products. Upon execution, a rootkit driver is installed to hide the malware.

Description & Consequence


The threat spreads via Trojanized applications disguised as cracked software, or applications posing as legitimate software such as e-book readers, video players, drivers, or even antivirus products. The password- and data-stealing operation is based around a rootkit driver digitally signed with a possibly stolen certificate, according to the security/intelligence research and is being continually tested and upgraded for maximum effectiveness. Scranos can perform a range of malicious tasks, including the following:- Extract cookies and steal login credentials from Google Chrome, Mozilla Firefox, Opera, Microsoft Edge, Internet Explorer, and other browsers Steal a user's payment accounts from Facebook, Amazon, and Airbnb Send friend requests to other accounts from the user's Facebook account Send phishing messages to the users' Facebook friends with malicious APKs to infect Android devices Steal login credentials for the user's Steam account Inject JavaScript adware in Internet Explorer Install extensions for Chrome and Opera to inject JavaScript adware Capture the user's browsing history Silently display ads or muted YouTube videos to Chrome users, or even install Chrome if it's not already installed Subscribe users to YouTube video channels Download and execute any payload

Solution


How to detect and remove rootkit threats Rootkit threats are invasive and persistent, so they typically require special steps to detect and remove them. Scranos can be removed, but the process is intricate. Below are the steps from Bitdefender for eliminating Scranos on a Windows computer:
Close your browser or browsers.
Kill all processes running from the temporary path. Remove any files detected as malicious.
Kill the rundll32.exe process.
Generate the rootkit file name as follows: - Get current user's SID. - Compute MD5 of the string resulted from a). - Get the first 12 characters from b)
Run a cmd or PowerShell window with Administrator rights and type: >sc stop >sc delete
Go to %WINDIR%\System32\drivers and check for a file called sys and delete that file.
Remove the DNS driver (below, MOIYZBWQSO should be replaced with your particular driver name):
- Check if the DNS driver is installed: in %TEMP% should be a file with 10 random uppercase letters (ex: sys). In the Registry there should also be a key corresponding to the name (ex: HKEY_LOCAL_MACHINE\SYSTEM\ CurrentControlSet\Services\MOIYZBWQSO)
- Run a cmd or PowerShell window with Administrator rights and type: sc stop MOIYZBWQSO sc delete MOIYZBWQSO
- Delete the file %TEMP%\MOIYZBWQSO.sys
Reboot your PC to remove the injected code from the svchost.exe process.
Remove any suspicious extension from your browsers.
Change all your passwords.

Reference


  1. https://www.symantec.com/security-center/writeup/2019-041807-0357-99
  2. https://www.scmagazineuk.com/scranos-malware-expands-china-goes-global/article/1582196
  3. https://labs.bitdefender.com/2019/04/inside-scranos-a-cross-platform-rootkit-enabled-spyware-operation/

Revision


Related Articles