Home Malware Programs Rootkits Scranos


Posted: April 16, 2019

Scranos is a rootkit that can collect confidential information, distribute itself to your Facebook contacts, and use your system's resources for different kinds of fraud, including subscribing to Youtubers' channels. As a high-level and persistent threat, it gives an attacker invasive control over the system. Always have an updated anti-malware solution quarantine or delete Scranos immediately.

Scranos: a YouTubers' Rootkit that's not so Scrawny

While Ransomware-as-a-Service has long been a subject of interest in the cyber-security industry, some threat actors are taking the idea of rental Trojans to new and influential levels. Scranos, a rootkit – or kernel-mode persistent threat that runs at the same privilege level as the operating system, and even loads before it – is offering 'influencers' a quick and illicit path to fame. While its choice of business model is odd, malware experts rate its strategies for achieving those goals aren't highly untraditional for a threat of its type.

Scranos can circulate itself through phishing messages that it sends to the Facebook contacts of users of already-infected systems. After it climbs aboard and achieves persistence, it starts collecting information (such as Steam credentials and session cookies), dropping adware and other add-ons into the victim's browsers, and spying on the user's browsing history. However, the upset in its payload is using concealed Chrome windows for subscribing to Youtube channels.

Scranos can change which channels receive these benefits, according to its C&C information, and malware researchers confirm it's using this feature for aggressive promotional purposes for at least four YouTubers. If it's using a model not dissimilar from the preexisting RaaS industry, its deployment configuration depends on which YouTubers are paying the upfront fee for its benefits, which could be per month or a one-time price. Since it mutes the browser's audio and otherwise silences any symptoms, the regular users shouldn't see any direct evidence of these actions.

A Black Hat Price for Fame is Costly to Everyone

Scranos represents more than just the danger of YouTubers' subscribers' numbers becoming irrelevant or even a security problem for the infected PC. It also raises the specter of criminals using the rootkit's features for sabotaging channels by inflating their subscription count without the YouTuber's consent. As the streaming industry continues evolving with back-and-forth security and legal concerns, the presence of streaming video-specific threats like the Scranos rootkit could become a highly toxic element for all sides.

Even if all 'influencer' features by Scranos were rendered inactive, Scranos is representative of its class of threat for the victims hosting it on their computers. It can install other software automatically and grant threat actors unfettered access to private accounts, logins and other data. Users should disable their network connections as a first concern for dealing with infections, and follow this precaution up with removing Scranos during a thorough anti-malware scan.

Scranos is, for most users, nothing worse than another, already-concerning rootkit that guarantees its persistence before their operating system even starts loading. What it means for the online entertainment industry, however, could be much more than that.