Scranos Malware

Scrons is a rootkit-based spyware malware that spreads through victim systems through corrupted software, legitimate applications such as e-readers, video players, and even malware (counterfeit). The malware continues to evolve and, by connecting to its control and command center, receives commands to update and resolve issues in current versions.

Although the malware has spread around the world, it is still found in countries such as India, Romania, Brazil, France, Italy and Indonesia. The first malware detected in November 2018, but the number of observed samples peaked in December 2018 and January 2019.

After installing on victim's system, the malware installs a rootkit and guarantees its permanent presence and other components that are later to be installed on the victim's system. The rootkit contains a digital signature by a credible CA, possibly influenced by the attackers. Despite the implementation of the mechanism for permanent presence in the victim's system, this rootkit lacks self-protection mechanisms and, if viewed, can easily be removed from the system, but most of the other components of the malware are removed after being executed on the victim's system and in If needed, these components can be downloaded through the malware control center.

In summary, the malware infection victim's system process is as follows:

  • The main malware file, using dlls embedded in your body, stole cookie and user accounts for access to various websites, including bank payments, in famous Internet browsers and famous targets such as Facebook, YouTube, Amazon, and Airbnb. Sends the malware control and command center.
  • The main malware file installs the rootkit on the victim's system.
  • A rootkit installed by copying a copy of itself on the disk when the system shuts down and creates a service ensures its permanent presence on the victim's system.
  • The rootkit injects a downloader executable file into the memory space in the svchost.exe process.
  • The rootkit sends information from the victim system to the malware control center and receives download links.
  • At this point, other malware files are loaded and executed on the victim's system.

The original malicious file steals cookie information and user accounts from the current user's default browser using dlls embedded in your body, decrypting and infecting it in your process space. Google Chrome, Chromium, Mozilla Firefox, Opera, Microsoft Edge, Internet Explorer, Baidu and Yandex are among the browsers that can steal user information related to Facebook, YouTube, Amazon, and Airbnb. In addition, if a user logs in to his Facebook account, the malware can by tampering with the user to enter certain web pages through the victim's system without identifying the location from the server and alerting the user to information on the victim Gained. The malware can use the victim's Facebook account to steal information about the login cookie to the Instagram and the number of its followers.

Symptoms of infection

Connect the infected system to different URLs, when the system is infected:

  • (114dns Chinese public DNS)
  • (Cloudflare)
Methods of Clearing Infected system

To clean up the system, the malware is run as follows:

  • Close all Internet browsers
  • Kill all processes executed from% TEMP%
  • Kill the process rundll32.exe
  • Generate the rootkit name as follows:
    • Get current user's SID
    • Compute MD5 string beforehand
    • The name of the rootkit is the 12 elementary characters derived from the preceding paragraph.
  • Run a cmd or Powershell with Administrator access level and type the following commands:
    • sc stop
    • sc delete
  • Go to% WINDIR% \ System32 \ drivers and find the rootkit with the name derived from step 4 and with .sys file extension.
  • Remove the DNS driver
    • Check that the driver is installed in the% TEMP% path with a 10-character name with a .sys file extension, such as ABCDEFGHIJ.sys.
    • A key check with the name of the previous paragraph in the registry with the path HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ABCDEFGHIJ
    • Run a cmd or Powershell with Administrator access level and type the following commands:
      • sc stop ABCDEFGHIJ
      • sc delete ABCDEFGHIJ
    • Delete the file% TEMP% \ ABCDEFGHIJ.sys
  • Reboot the system to remove the injected code into the svchost.exe process
  • Remove any suspicious extension from Internet browsers
  • Change all words related to the victim user
Methods of Infection Prevention

The following recommendations can play a significant role in preventing the infection of mobile phones.

  • Do not download and install applications from untrusted sources
  • Do not download and install cracked applications from untrusted sources
  • Install anti-virus software and update it periodically

Since the widespread spread of various types of malware and viruses on computer systems has caused many problems for its owners in recent years, installing anti-virus programs is one of the essential things to prevent the infection of computer systems and the spread of malware. Also, always use credible anti-virus programs and make regular updates to these programs to ensure that the correct virus scans on your computer system.