Scranos, a new rootkit malware, steals passwords and pushes YouTube clicks

Security researchers have discovered an unusual new malware that steals user passwords and account payment methods stored in a victim’s browser — and also silently pushes up YouTube subscribers and revenue.

The malware, Scranos, infects with rootkit capabilities, burying deep into vulnerable Windows computers to gain persistent access — even after the computer restarts. Scranos only emerged in recent months, according to Bitdefender with new research out Tuesday, but the number of its infections has rocketed in the months since it was first identified in November.

“The motivations are strictly commercial,” said Bogdan Botezatu, director of threat research and reporting at Bitdefender, in an email. “They seem to be interested in spreading the botnet to consolidate the business by infecting as many devices as possible to perform advertising abuse and to use it as a distribution platform for third party malware,” he said.

Bitdefender found the malware spreading through trojanized downloads that masquerade as real apps, like video players and e-book readers. The rogue apps are digitally signed — likely from a fraudulently generated certificate — to prevent getting blocked by the computer. “By using this approach, the hackers are more likely to infect targets,” said Botezatu. Once installed, the rootkit takes hold to maintain its presence and phones home to its command and control server to download additional malicious components. The second-stage droppers inject custom code libraries in common browsers — Chrome, Firefox, Edge, Baidu and Yandex to name a few — to target Facebook, YouTube, Amazon and Airbnb accounts, gathering data to send back to the malware operator.

“The motivations are strictly commercial… they are looking at advertising fraud by consuming ads on their publisher channels invisibly in order to pocket the profit.” Bitdefender's Bogdan Botezatu

Chief among those is the YouTube component, said Bitdefender. The malware opens Chrome in debugging mode and, with the payload, hides the browser window on the desktop and taskbar. The browser is tricked into opening YouTube videos in the background, mutes it, subscribes to a channel specified by the command and control server and clicks ads.

The malware “aggressively” promoted four YouTube videos on different channels, the researchers found, turning victim computers into a de facto clickfarm to generate video revenue.

“They are looking at advertising fraud by consuming ads on their publisher channels invisibly in order to pocket the profit,” said Botezatu. “They are growing accounts that they have been paid to grow and helping inflate an audience so they can grow specific ‘influencer’ accounts.”

Another downloadable component allows the malware to spam a victim’s Facebook friend requests with phishing messages. By siphoning off a user’s session cookie, it sends a malicious link to an Android adware app over a chat message.

“If the user is logged into a Facebook account, it impersonates the user and extracts data from the account by visiting certain web pages from the user’s computer, to avoid arousing suspicion by triggering an unknown device alert,” reads the report. “It can extract the number of friends, and whether the user administrates any pages or has payment information in the account.” The malware also tries to steal Instagram session cookies and the number of followers the user has.

Other malicious components allow the malware to steal data from Steam accounts, inject adware to Internet Explorer, run rogue Chrome extensions and collect and upload a user’s browsing history.

“This is an extremely sophisticated threat that took a lot of time and effort to set up,” said Botezatu. The researchers believe the botnet has tens of thousands of devices ensnared already — at least.

“Rootkit-based malware shows an unusual level of sophistication and dedication,” he said.