Scranos Rootkit Auto-Subscribes Users To Selected Youtube Channels
Youtube channels and malware are not the usual words we can use in just one sentence, but that is changing, as a new prolific rootkit-based malware named Scranos is causing havoc in the wild. It is the first known malware that automatically “subscribes” logged-in Google accounts to specific Youtube channels that the command and control center dictates. This seemed to be the case in order to augment the “profitability” of the virus beyond its regular function of keylogging the user to steal his login credentials to various web services such as Facebook, Amazon, AirBnB, and Youtube. The malware is compatible with mainstream browsers, which means it can auto-subscribes the user to those channels in hopes of better income stream. It is not yet concluded if the specific Youtube channel where the user was silently subscribed with are related to Scranos’ authors.
“The motivations are strictly commercial. They seem to be interested in spreading the botnet to consolidate the business by infecting as many devices as possible to perform advertising abuse and to use it as a distribution platform for third party malware,” said Bog Botezatu, Bitdefender’s Director of Threat Research and Reporting.
Bitdefender is advising people to be careful when downloading random video playback and e-book reader apps, as Scranos is delivered as a payload of trojan apps. Trojan apps are real copies of apps it claims to be, but with included payload, usually malware code. “By using this approach, the hackers are more likely to infect targets. They are looking at advertising fraud by consuming ads on their publisher channels invisibly in order to pocket the profit. They are growing accounts that they have been paid to grow and helping inflate an audience so they can grow specific ‘influencer’ accounts,” added Botezatu. With a modular formula, more functionalities can be added to Scranos by its authors. At the moment, the malware can extract browsing history, account payment information, and display adverts which can generate more profit to the virus authors.
The malware after silently watches the computer, once the user logs in to Facebook, it can then extract the user data (Facebook allows users to download their data manually). “If the user is logged into a Facebook account, it impersonates the user and extracts data from the account by visiting certain web pages from the user’s computer, to avoid arousing suspicion by triggering an unknown device alert. It can extract the number of friends, and whether the user administrates any pages or has payment information in the account. This is an extremely sophisticated threat that took a lot of time and effort to set up. Rootkit-based malware shows an unusual level of sophistication and dedication,” concluded Botezatu.
Upon further probing, it was disclosed that the malware also includes functionality that interacts with Amazon website, which can store Amazon information and capability to interact with Amazon account through the use of a specially designed DLL file. Scranos has no clear target countries, but the most number of infection cases were seen in Italy, Indonesia, Romania, India, Brazil, and France.