Home Tech Scranos, a new rootkit malware, steals passwords and pushes YouTube clicks

Scranos, a new rootkit malware, steals passwords and pushes YouTube clicks

Security researchers have discovered an unusual new malware that steals user passwords and account payment methods stored in a victim’s browser — and also silently pushes up YouTube subscribers and revenue.

The malware, Scranos, infects with rootkit capabilities, burying deep into vulnerable Windows computers to gain persistent access — even after the computer restarts. Scranos only emerged in recent months, according to Bitdefender with new research out Tuesday, but the number of its infections has rocketed in the months since it was first identified in November.

“The motivations are strictly commercial,” said Bogdan Botezatu, director of threat research and reporting at Bitdefender, in an email. “They seem to be interested in spreading the botnet to consolidate the business by infecting as many devices as possible to perform advertising abuse and to use it as a distribution platform for third party malware,” he said.

Bitdefender found the malware spreading through trojanized downloads that masquerade as real apps, like video players and e-book readers. The rogue apps are digitally signed — likely from a fraudulently generated certificate — to prevent getting blocked by the computer. “By using this approach, the hackers are more likely to infect targets,” said Botezatu. Once installed, the rootkit takes hold to maintain its presence and phones home to its command and control server to download additional malicious components. The second-stage droppers inject custom code libraries in common browsers — Chrome, Firefox, Edge, Baidu, and Yandex to name a few — to target Facebook, YouTube, Amazon, and Airbnb accounts, gathering data to send back to the malware operator.

“The motivations are strictly commercial… they are looking at advertising fraud by consuming ads on their publisher channels invisibly in order to pocket the profit.” Bitdefender's Bogdan Botezatu

Chief among those is the YouTube component, said Bitdefender. The malware opens Chrome in debugging mode and, with the payload, hides the browser window on the desktop and taskbar. The browser is tricked into opening a YouTube videos in the background, mutes it, subscribes to a channel specified by the command and control server and click ads.

The malware “aggressively” promoted four YouTube videos on different channels, the researchers found, turning victim computers into a de facto clickfarm to generate video revenue.

“They are looking at advertising fraud by consuming ads on their publisher channels invisibly in order to pocket the profit,” said Botezatu. “They are growing accounts that they have been paid to grow and helping inflate an audience so they can grow specific ‘influencer’ accounts.”

Another downloadable component allows the malware to spam a victim’s Facebook friend requests with phishing messages. By siphoning off a user’s session cookie, it sends a malicious link to an Android adware app over a chat message.

“If the user is logged into a Facebook account, it impersonates the user and extracts data from the account by visiting certain web pages from the user’s computer, to avoid arousing suspicion by triggering an unknown device alert,” reads the report. “It can extract the number of friends, and whether the user administrates any pages or has payment information in the account.” The malware also tries to steal Instagram session cookies and the number of followers the user has.

Other malicious components allow the malware to steal data from Steam accounts, inject adware to Internet Explorer, run rogue Chrome extensions, and collect and upload a user’s browsing history.

“This is an extremely sophisticated threat that took a lot of time and effort to set up,” said Botezatu. The researchers believe the botnet has tens of thousands of devices ensnared already — at least.

“Rootkit-based malware shows an unusual level of sophistication and dedication,” he said.

Source link


Please enter your comment!
Please enter your name here

Must Read

Bengal tigers could vanish from one of their final strongholds

Already threatened by poaching, and humans spreading into its shrinking habitats, researchers say that in just 50 years it could completely disappear from...

Exclusive: U.S. carves out exceptions for foreigners dealing with IRGC

WASHINGTON (Reuters) - The United States has largely carved out exceptions so that foreign governments, firms and NGOs do not automatically face U.S....

Comedian Volodymyr Zelenskiy wins Ukrainian presidential election

Volodymyr Zelenskiy, a comedian with no political experience who plays the country’s president on a TV show, has won Ukraine’s presidential election in...

Lyra McKee: Two men released without charges after death of journalist in Northern Ireland

The two men, aged 18 and 19, had previously been arrested under the terrorism act, the Police Service of Northern Ireland tweeted. McKee,...
Download WordPress Themes
Download WordPress Themes
Download Premium WordPress Themes Free
Premium WordPress Themes Download
online free course
download lenevo firmware
Download Premium WordPress Themes Free