For all Windows 10 users, here comes another threat to hack your PC. This time, the malware is actually an adware that spams you with advertisements. It bypasses the security system of your PC and installs itself firmly, making it almost impossible to remove. But the story about Zacinlo malware doesn’t end here. This malware also spies on you secretly as it takes screenshots of your activities.
Primarily, the malware infects Windows 10 PCs. However, a small percentage of Zacinlo victims also include Windows 7 and 8 users. The researchers primarily tracked the active samples of this malware in the USA. However, it has also infected users in Germany, Brazil, France, India, China, Indonesia, and the Philippines, in smaller numbers.
Zacinlo Malware Poses Threat To Windows 10 Devices
Researchers at Bitdefender have discovered a robust malware that takes over your computer and spams you with ads. They have named it ‘Zacinlo’ after the final payload, considering this a temporary name for a complex code. Nonetheless, the Zacinlo malware has been around for almost six years severely infecting a number of Windows users.
After a year of research, the researchers at Cyber Threat Intelligence Lab have published a detailed white paper about this malware. Although the malware has been around since 2012, it became the most active in late 2017. The researchers state while explaining about their work,
“Last year we came across a digitally signed rootkit capable of installing itself on most Windows operating systems, including the newest releases of Windows 10. Since rootkits these days account for under 1 percent of the malware output we see worldwide, this immediately drew our attention and prompted us to carry out an extensive analysis of the payload, its origins, and the spread. We discovered an ample operation whose central component is a very sophisticated piece of adware with multiple functionalities.”
Zacinlo is so powerful that it deactivates most anti-malware presently available. Popular targets of Zacinlo include Bitdefender, Kingsoft, Symantec, Microsoft, Avast, and numerous other programs. As explained in their white paper,
“The central piece of the adware is probably the rootkit driver, which is responsible for providing persistence and protection for the other components from being read, written or deleted. It is also used to patch or block antimalware services. Among the targeted antimalware solutions are products developed by the following companies: Bitdefender, Qihoo, Kingsoft, Malwarebytes, Symantec, Panda, HitmaPro, Avast, Avg, Microsoft, Kaspersky, Emsisoft, and Zemana. The rootkit finds them by file names or by Subject Name filled in their certificates, then the antimalware modules are prevented from starting.”
Be Careful While Installing VPN As You May Install Zacinlo
The actors have veiled Zacinlo malware as a free VPN ‘s5Mark’. This way, you will fall a prey to this malware right after you download the s5Mark downloader.
“The infection chain starts with a downloader that installs an alleged VPN application. Once executed, it downloads several other components, as well as a dropper or a downloader that will install the adware and rootkit components.”
Once installed, it entirely takes over your system for malicious activities. These include manipulating the OS, preventing anti-malware operations, ultimately achieving its main goal – to display ads and generate revenue. This is achieved by injecting scripts in web pages (even the secured ones).
“In a hijacked connection that takes place via TLS, the original site certificate is replaced and the page contains an injected script. The script is external and found on cdn.optitc.com. The script collects information about the browser (version, cookies, visited URL, time zone, language, etc.), and generates a new external script found on the same C&C with the collected data encoded in base64. The received script contains a configuration JSON that tells the script what advertisements should be added and where.”
The Malware Takes Screenshots Of Your PC Screen
Zacinlo easily runs on most commonly used browsers, including Chrome, Firefox, Internet Explorer, Edge, Safari, and Opera. As this adware begins working, it wipes out any other adware present in the victim’s PC to achieve its goals. It then displays ads so as to generate revenue by getting the clicks.
Alongside displaying ads, it continually takes screenshots of a victim’s desktop as the malware screens a page. These screenshots are then transmitted back, so the malware essentially works as a spy as well, secretly gathering screenshots of your activities.
Can We Detect This Malware?
The sophistication of this malware makes it extremely difficult to detect. Yet, there is one way through which you can detect the presence of Zacinlo in your PC. As stated by Bogdan Botezatu, Senior e-Threat Analyst at Bitdefender,
“Since the rootkit driver can tamper with both the operating system and the anti-malware solution, it is better to run a scan in this rescue mode rather than running it normally.”
Besides, all Windows users must carry out all other measures to detect any spyware present in their system. Moreover, they should be cautious while downloading any third-party apps or apps from untrusted sources to protect themselves from any malware attacks.
Let us know your thoughts in the comments section.