Zacinlo rootkit

A newly uncovered form of stealthy and persistent malware is distributing adware to victims across the world while also allowing attackers to take screenshots of infected machines' desktops. While a form of the Zacinlo rootkit has been active for several years, BitDefender said Monday that it has adopted a more sinister appearance: as an anonymous "VPN" service, S5Mark, that worms its way into Windows 10 systems.

Discovered by researchers at Bitdefender, the malware has been named Zacinlo after the name of the final payload that's delivered by the campaign which first appeared in 2012. He vast majority of Zacinlo victims are in the US, with 90 percent of those infected running Microsoft Windows 10. There are also victims in other regions of the world, including Western Europe, China and India. A small percentage of victims are running Windows 7 or Windows 8.

What makes Zacinlo so unusual is how it is delivered by rootkit, a malicious form of software which can manipulate the operating system and any installed anti-malware in such a way to make the computer oblivious to the existence of the malware. Rootkit-based malware is complex and is therefore rare, accounting for less than one percent of all malware. It bypasses the security system of your PC and installs itself firmly, making it almost impossible to remove. But the story about Zacinlo malware doesn’t end here. This malware also spies on you secretly as it takes screenshots of your activities.

Zacinlo is so powerful that it deactivates most anti-malware presently available. Popular targets of Zacinlo include Bitdefender, Kingsoft, Symantec, Microsoft, Avast, and numerous other programs. The actors have veiled Zacinlo malware as a free VPN ‘s5Mark’. This way, you will fall a prey to this malware right after you download the s5Mark downloader.

Once installed, it entirely takes over your system for malicious activities. These include manipulating the OS, preventing anti-malware operations, ultimately achieving its main goal – to display ads and generate revenue. This is achieved by injecting scripts in web pages (even the secured ones).

Zacinlo easily runs on most commonly used browsers, including Chrome, Firefox, Internet Explorer, Edge, Safari, and Opera. As this adware begins working, it wipes out any other adware present in the victim’s PC to achieve its goals. It then displays ads so as to generate revenue by getting the clicks. Alongside displaying ads, it continually takes screenshots of a victim’s desktop as the malware screens a page. These screenshots are then transmitted back, so the malware essentially works as a spy as well, secretly gathering screenshots of your activities.

The main perk of Windows 10 when it was released back in 2015 was its improved security features which made it hard for the rootkits to maintain persistence in the new Windows installs. Zacinlo was categorized as Potentially Unwanted Program (PUP) the infection survives even after reinstalling Windows operating system. The rootkit also comes loaded with man-in-the-middle attacks to intercept traffic even from the HTTPS which could tamper with the banking sessions. The rootkit also has the regular adware components that are used to harvest the data in the local system and receive the commands from the server.

The rootkit also comes with a self-upgrade feature which helps it to update itself to the latest version of the software. The rootkit strain has been found in US, France, Germany, Brazil, China, India, Indonesia and the Philippines.