Story image

Bitdefender unravels the mystery of the Zacinlo adware

20 Jun 18

Adware has been around for more than a decade, helping software creators make money as they deliver free apps to users. But now the line between adware and spyware has become increasingly fuzzy as confusing marketing, persistence mechanisms, and aggressive opt-outs become the new normal.

That’s according to Bitdefender, which looked at one particular ad fraud operation called Zacinlo. The Zacinlo malware, which Bitdefender classes as an advanced strain of spyware, has been operating covertly since 2012 and targeting users of free applications, as well as gamers.

“The adware components are silently installed by a downloader that is presented as a free and anonymous VPN service (s5Mark), distributed in an installer. s5Mark has a simple graphical interface used as a decoy for the intrusive unwanted behaviour taking place behind the scenes. Note that a non-technical user is led to believe that a VPN connection is established even though no such thing is even attempted,” Bitdefender explains.

The adware is able to open an invisible browser to load advertising banners, and simulate clicks from the user. It also switches ads users see on webpages for the attacker’s own ads, which means it collects advertising revenue.

Bitdefender says this type of rootkit-based malware is so rare that fewer than 1% of threats use it – and there’s no easy fix. The rootkit is able to install itself on most Windows operating systems, including Windows 10.

“We have identified at least 25 different components found in almost 2,500 distinct samples. While tracking the adware, we noticed some of the components were continuously updated with new functionalities, dropped altogether or integrated entirely in other components,” Bitdefender says in a white paper.

Zacinlo is able to detect targeted antimalware solutions and stop them from launching. Bitdefender’s own solutions, as well as those from Qihoo, Kingsoft, Malwarebytes, Symantec, Panda, HitmaPro, Avast, Avg, Microsoft, Kaspersky, Emsisoft, and Zemana are affected.

While most malware samples have been spotted in the USA, many have been found in the Philippines, Indonesia, India, China, France, Germany, and Brazil.

Bitdefender says there are several main features in Zacinlo that are of interest: firstly, it uses an adware cleanup routine used to remove potential competition in the adware space – which means it gets full exposure and ad revenue.

It is also able to take desktop screenshots that can be sent back to the attackers for analysis; decrypt SSL communications through man-in-the-browser attacks, and redirect pages in browsers.

Notably, the aware is able to mimic normal user behaviours such as scrolling, clicking and keyboard input through hidden webpages in the background.

“This is typical behaviour for advertising fraud that inflicts significant financial damage on online advertising platforms,” Bitdefender says in the white paper.

How to stay safe when shopping online
Online shopping is a great way to avoid the crowds – but there are risks.
Dell EMC embeds security in latest servers
Dell EMC's 14th generation of PowerEdge servers has comprehensive management tools to provide security across hardware and firmware.
Why data backups should be a part of daily operations
"Disaster recovery needs to address complete system failure and provide a set of security policies to govern disaster incidents."
Businesses focusing on threats from within - survey
Over 50% of respondents reported that 100 days of dwell time or more was representative of their organisation.
Corelight and Exabeam partner to improve network monitoring
The combination of lateral movement and siloed usage of point security products leaves many security teams vulnerable to compromise.
SailPoint releases first identity annual report
SailPoint’s research found that many organisations are lacking maturity in their governance processes over identities.
Disruption in the supply chain: Why IT resilience is a collective responsibility
"A truly resilient organisation will invest in building strong relationships while the sun shines so they can draw on goodwill when it rains."
Businesses too slow on attack detection – CrowdStrike
The 2018 CrowdStrike Services Cyber Intrusion Casebook reveals IR strategies, lessons learned, and trends derived from more than 200 cases.