Story image

Bitdefender unravels the mystery of the Zacinlo adware

20 Jun 2018

Adware has been around for more than a decade, helping software creators make money as they deliver free apps to users. But now the line between adware and spyware has become increasingly fuzzy as confusing marketing, persistence mechanisms, and aggressive opt-outs become the new normal.

That’s according to Bitdefender, which looked at one particular ad fraud operation called Zacinlo. The Zacinlo malware, which Bitdefender classes as an advanced strain of spyware, has been operating covertly since 2012 and targeting users of free applications, as well as gamers.

“The adware components are silently installed by a downloader that is presented as a free and anonymous VPN service (s5Mark), distributed in an installer. s5Mark has a simple graphical interface used as a decoy for the intrusive unwanted behaviour taking place behind the scenes. Note that a non-technical user is led to believe that a VPN connection is established even though no such thing is even attempted,” Bitdefender explains.

The adware is able to open an invisible browser to load advertising banners, and simulate clicks from the user. It also switches ads users see on webpages for the attacker’s own ads, which means it collects advertising revenue.

Bitdefender says this type of rootkit-based malware is so rare that fewer than 1% of threats use it – and there’s no easy fix. The rootkit is able to install itself on most Windows operating systems, including Windows 10.

“We have identified at least 25 different components found in almost 2,500 distinct samples. While tracking the adware, we noticed some of the components were continuously updated with new functionalities, dropped altogether or integrated entirely in other components,” Bitdefender says in a white paper.

Zacinlo is able to detect targeted antimalware solutions and stop them from launching. Bitdefender’s own solutions, as well as those from Qihoo, Kingsoft, Malwarebytes, Symantec, Panda, HitmaPro, Avast, Avg, Microsoft, Kaspersky, Emsisoft, and Zemana are affected.

While most malware samples have been spotted in the USA, many have been found in the Philippines, Indonesia, India, China, France, Germany, and Brazil.

Bitdefender says there are several main features in Zacinlo that are of interest: firstly, it uses an adware cleanup routine used to remove potential competition in the adware space – which means it gets full exposure and ad revenue.

It is also able to take desktop screenshots that can be sent back to the attackers for analysis; decrypt SSL communications through man-in-the-browser attacks, and redirect pages in browsers.

Notably, the aware is able to mimic normal user behaviours such as scrolling, clicking and keyboard input through hidden webpages in the background.

“This is typical behaviour for advertising fraud that inflicts significant financial damage on online advertising platforms,” Bitdefender says in the white paper.

Chillisoft rounds out portfolio with file integrity vendor
Tripwire is the fourth vendor for Chillisoft in six months, adding critical security controls, vulnerability management and file integrity monitoring.
ESET researchers break down latest arsenal of the infamous Sednit group
At the end of August 2018, the Sednit group launched a spear-phishing email campaign, in which it distributed shortened URLs that delivered first-stage Zebrocy components.
Google 'will do better' after G Suite passwords exposed since 2005
Fourteen years is a long time for sensitive information like usernames and passwords to be sitting ducks, unencrypted and at risk of theft and corruption.
Who's watching you? 
With privacy an increasing concern amongst the public, users should be more aware than ever of what personal data companies hold.
Fake apps on Google Play scamming users out of cryptocurrency
Fake cryptocurrency apps on Google Play have been discovered to be phishing and scamming users out of cryptocurrency, according to a new report from ESET.
Optic Security Group celebrates Axis accolade
Auckland-based business security systems provider Fortlock has picked up an award at Axis Communications’ annual Oceania Axis Partner Summit 2019.
Managing data to comply with privacy regulations - Micro Focus
It’s crucial for organisations to be able to access, understand, and accurately classify the data they have so they know how to treat it.
Hackbusters! Reviewing 90 days of cybersecurity incident response cases
While there are occasionally very advanced new threats, these are massively outnumbered by common-or-garden email fraud, ransomware attacks and well-worn old exploits.