Zacinlo malware threatens Windows 10 PCs' security

Malware takes screenshots of users' desktops, and has been operating silently for six years

Malware

Researchers have uncovered a sophisticated rootkit-based adware, mainly prevalent on Windows 10 devices, that has been operating covertly for six years.

Dubbed Zacinlo, this rare strain of malware typically operates by silently rendering webpages in the background in hidden windows to simulate clicks and keyboard interactions, or can replace ads naturally loaded in an open web browser with its own ads to collect revenue.

The malware, subject to an extensive investigation by security company Bitdefender, is armed with a sophisticated array of features to ensure it remains undetected, and even quashes any 'competition', featuring an adware cleanup routine to remove any potential rivals in the adware space.

It can also uninstall or delete services based on instructions it receives from the command and control infrastructure, to which it routinely sends information about its environment, including what form of anti-malware services may be installed, and which applications are running on startup.

Advertisement
Advertisement - Article continues below

One of its most concerning features involves a significant invasion of privacy, with Zacinlo able to take screen captures of a user's desktop and send them to its command and control centre for analysis.

Bitdefender's security researchers were alerted to the rootkit-based adware last year, publishing the results of its analysis in a whitepaper.

"Since rootkits these days account for under 1% of the malware output we see worldwide, this immediately drew our attention and prompted us to carry out an extensive analysis of the payload, its origins and the spread," the report said.

"We discovered an ample operation whose central component is a very sophisticated piece of adware with multiple functionalities."

Over the course of its investigation, Bitdefender learned the adware had been running covertly since 2012/13 with at least 25 different components in almost 2,500 distinct samples. Although components date back to 2012, the adware was most active towards the end of 2017.

The researchers also learned the functionality of many of Zacinlo's components were in a state of flux throughout the time it was being tracked; with functionalities updated, dropped, or integrated with other components, indicating it is still being developed.

The vast majority of the samples tracked were spotted in the US, with a handful found in France, Germany, Brazil, China, Indonesia, the Philippines, and several infections in the UK. 

Significantly, despite Windows 10 being fitted with in-built technology to protect users from rootkits, the overwhelming majority of samples, 90%, were found on devices running Microsoft's latest operating system.

"While generating untold revenue for the companies that run these programs, adware has witnessed constant improvements over the years in both data collection and resilience to removal," said Bitdefender senior e-threat analyst Bogdan Botenzatu.

"The line between adware and spyware has become increasingly fuzzy during recent years as modern adware combines aggressive opt-outs with confusing legal and marketing terms as well as extremely sophisticated persistence mechanisms aimed at taking control away from the user."

Advertisement
Advertisement - Article continues below

Asked where it fits into the wider threat landscape of 2018, Botenzatu told IT Pro: "Zacinlo was an unexpected surprise in the wider cyber-security landscape, which is currently dominated by ransomware and crypto-jacking malware.

"The discovery of rootkit-based malware that mostly affects Windows 10 is enough evidence that "independent" malware operators find lucrative niches in a threat landscape dominated by crypto-ransomware and illegal mining of digital currency."

Zacinlo is the latest in a number of sophisticated malware strains that researchers have uncovered in recent months. Bitdefender similarly detected a remote access tool, named RadRAT, previously operating undetected since 2015, which offers attackers full control over seized computers.

Roaming Mantis, meanwhile, which uses DNS-hijacking to redirect users to phishing sites running a Coin Hive cryptomining script, was found by Kaspersky Lab last month to be on spreading rapidly across the globe after emerging only a couple of months previously in a handful of countries including Japan and India.

Featured Resources

The IT Pro guide to Windows 10 migration

Everything you need to know for a successful transition

Download now

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Software-defined storage for dummies

Control storage costs, eliminate storage bottlenecks and solve storage management challenges

Download now

6 best practices for escaping ransomware

A complete guide to tackling ransomware attacks

Download now
Advertisement

Recommended

Visit/malware/33080/hackers-abuse-linkedin-dms-to-plant-malware
malware

Hackers abuse LinkedIn DMs to plant malware

25 Feb 2019
Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019
Visit/antivirus/28144/best-antivirus
antivirus

Best antivirus for Windows 10

3 Sep 2019
Visit/security/malware/28083/the-five-best-free-malware-removal-tools
Security

Best free malware removal tools 2019

8 Mar 2019

Most Popular

Visit/cloud/microsoft-azure/354230/microsoft-not-amazon-is-going-to-win-the-cloud-wars
Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019
Visit/mobile/mobile-phones/354273/pablo-escobars-brother-launches-budget-foldable-phone
Mobile Phones

Pablo Escobar's brother launches budget foldable phone

4 Dec 2019
Visit/network-internet/wifi-hotspots/354283/industrial-wi-fi-6-trial-reveals-blistering-speeds
wifi & hotspots

Industrial Wi-Fi 6 trial reveals blistering speeds

5 Dec 2019
Visit/hardware/354237/five-signs-that-its-time-to-retire-it-kit
Sponsored

Five signs that it’s time to retire IT kit

29 Nov 2019