Zacinlo malware has been targeting Windows devices since 2012. A newly uncovered form of stealthy and persistent malware is distributing adware to victims across the world while also allowing attackers to take screenshots of infected machines’ desktops.
Discovered by researchers at Bitdefender, the malware has been named Zacinlo after the name of the final payload that’s delivered by the campaign which first appeared in 2012.
The vast majority of Zacinlo victims are in the US, with 90 percent of those infected running Microsoft Windows 10. There are also victims in other regions of the world, including Western Europe, China and India. A small percentage of victims are running Windows 7 or Windows 8.
What makes Zacinlo so unusual is how it is delivered by rootkit, a malicious form of software which can manipulate the operating system and any installed anti-malware in such a way to make the computer oblivious to the existence of the malware. Rootkit-based malware is complex and is therefore rare, accounting for less than one percent of all malware.
The malware appears to date back to 2012, but suddenly became very active during late 2017, with Zacinlo bundled with what is presented as a free application.
“We believe that the original fake VPN application that is bundled with the Zacinlo malware might be delivered via deceptive ads,” Bogdan Botezatu, senior e-threat analyst at Bitdefender told ZDNet.
“The operators can host this installer on as many websites as they want and just swap the links in the malicious advertising campaigns.”
Once downloaded, the false application pretends to act as a VPN would, but does nothing but act as a delivery mechanism for the malware, which uses the rootkit as a means of downloading files and eventually delivering the final Zacinlo payload.
The main goal of Zacinlo is to deliver adware, displaying adverts developed by the attackers in webpages the user visits and to secretly click through to them in order to generate ad revenue. Popular browsers including Edge, Internet Explorer, Firefox, Chrome, Opera and Safari can all be used to drive the adware.
In order to ensure it can carry out its goal, the malware can also clean up any other adware the victim device may be infected with.
Zacinlo is extremely persistent, secretly going about its business until it is told to stop by those running the command and control server — but using the computer to generate ad fraud isn’t the only threat posed by the malware.
Additional tools deployed by Zacinlo include the ability to send information about the infected steam back to the attackers, as well as the ability to take screenshots of whatever is on the victim’s desktop. Naturally, this could put sensitive information into the hands of the attackers.
“We believe that these screen captures play a role in both quality assurance as it reveals that the malware runs as designed with no browser windows visible to the user,” said Botezatu.
Other than that, the screenshots can also be used by the operators to gain even more information about the victim such as capturing passwords typed via an on-screen keyboard, for instance.
The campaign is thought to still be ongoing and the fact it has been active for over five years and that the malware is constantly being developed and updated shows that the malware is providing the means to operate comfortably.
The malware is stealthy, but Botezatu told ZDNet that it can be detected if the system is scanned in rescue mode. “Since the rootkit driver can tamper with both the operating system and the anti-malware solution, it is better to run a scan in this rescue mode rather than running it normally,” he said.
There’s currently no solid indication as who the cybercriminal operation behind the malware is, where they’re based, or if they have any additional goals to making illicit money.