Sophisticated threats remain among the main concerns of enterprises today. As environments grow in complexity, malware actors find innovative ways to infiltrate overlooked entry points in networks, hiding behind the scenes to wreak havoc without ever making a full-blown appearance. Bitdefender Cyber-Threat Intelligence Labs have uncovered the intricacies of a new cross-platform spyware operation known as Scranos.
The rootkit-enabled Scranos campaign will likely spread at least as widely as the Zacinlo ad fraud operation, an extremely sophisticated piece of spyware running covertly since early 2012, generating revenue for its operators and compromising the privacy of its victims.
Knowing the level of sophistication and the dangers of this kind of attack, I sat down recently to answer some common questions about Rootkit Malware Defense.
What is rootkit malware?
A rootkit is a stealth type of malware that is designed to hide the existence of certain processes or programs on computers from regular detection methods, allowing it or another malicious process privileged access to computers.
How does Scranos work?
Disguised as cracked software or posing as legitimate applications, such as e-book readers, video players, drivers or even antimalware products, Scranos is infecting users worldwide because of its ability to survive across platforms, gaining a wider range of enterprise endpoints, particularly Android devices.
What are Scranos’ objectives?
With data exfiltration being the primary objective, the stakes are high: from risk management issues, to intellectual property theft and brand reputation damage. Scranos can leverage enterprise infrastructure to launch further attacks.
How does it advance?
As a rootkit-enabled operation, Scranos is designed to hide from system management and could easily disable firewalls and traditional antimalware if instructed to do so. It is persistent and leverages cloaking capabilities to come back even after it’s detected and removed.
Scranos is part of a bigger scheme. The command and control servers are pushing other strains of malware – a clear indicator that the network is now affiliated with third parties in pay-per install schemes.
The actors behind Scranos are continuously tweaking the malicious software, adding components on already-infected devices and improving the more mature functionalities. As Scranos actors continue to fine-tune malware components, the password- and data-stealing operation becomes stronger and eludes traditional endpoint protection.
A main entry point to an enterprise is its employees. They are viewed as the weakest link in corporate IT security, and threat actors easily bypass them to infiltrate companies. Cybercriminals are also exploiting the myriad of third-party tools organizations use. Their latest attack vectors include targeting smaller and less protected enterprise suppliers.
How can businesses defend against it?
A box-checking approach that includes firewalls and 8-digit passwords is no longer enough to counter stealthy and persistent threats. Anti-rootkit, anti-ransomware, behavioral analysis, advanced threat control, and machine learning capabilities are key to detecting and blocking sophisticated attacks.
To improve security posture, enterprises also need to enhance their detection and response capabilities. Security solutions and efforts should be agile, to ensure it moves and scales along with the business and the increasing number of “things” that need to be protected.
What are the technologies for detecting and responding to these kinds of threats?
To mitigate sophisticated threats, Security Operations Centers need visibility into post-compromise detection. An optimized solution includes advanced protection, detection and response, and addresses the entire threat lifecycle.
SOC analysts can leverage technologies including Sandbox Analyzer for detailed analytics on sophisticated threats, Network Traffic Security Analytics to analyze network traffic and endpoint traffic anomalies, and Hypervisor-based memory introspection to identify zero-days as easily as any known exploit.
SOC analysts not only need to block complex operations, but also understand the threat actors behind them, and automate responses for multiple attack vectors. To do so, they need to arm themselves with real-time insights that improve threat hunting and reduce time spent chasing “ghosts.”
In their deep dive into the Scranos rootkit operation, Bitdefender Cyber-Threat Intelligence Labs uncovered hundreds of unique Indicators of Compromise, including files hashes, domains, registry keys, URLs and IPs.
Rootkits are extremely persistent threats and they require special interaction for detection and removal. Step-by-step removal instructions can be found on page 34 of the white paper here.
- Scranos Rootkit Operation Turns Global - May 8, 2019