Cross-Platform Rootkit and Spyware Hits Targets Worldwide

The Scranos rootkit-enabled spyware operation has expanded reach outside of China to hit targets worldwide, Bitdefender security researchers warn. Spreading via trojanized applications posing as cracked software or legitimate programs (such as e-book readers, video players, drivers, or anti-malware products), the malware initially operated in China only, but is now prevalent in India, Romania, Brazil, France, Italy and Indonesia as well. The initial stage of the infection involves the use of a dropper that also functions as a password stealer. It installs a rootkit driver to achieve persistence and hide the malicious activity from the user. To survive reboots, the rootkit is rewriting itself at shutdown. However, because it doesn’t hide itself, it can be deleted if detected — other malicious components are deleted after use, because they can be easily re-downloaded if needed. Next, the rootkit beacons the command and control (C&C) server to receive commands on what components to download and install. It injects the downloader into a legitimate svchost.exe process and abuses it to fetch the payloads.