Zacinlo Adware Uses a Rootkit

What Is It?

Romanian-based anti-virus company Bitdefender has recently released a highly detailed report about a piece of malicious adware it has named Zacinlo (which may be a misnomer, as it translates from Slovenian as “temporary”).

Though believed to have been originally released in 2012, the rootkit component that the adware’s authors have added in the past two years is able to bypass additional security features added to Windows 10. The majority of infected users are located in the U.S., with smaller numbers in France, Germany, Brazil and South East Asia.

Commonly files are considered to be either benign or malicious. However, security professionals and administrators are only too familiar with the third category — potentially unwanted programs/applications (PUPs/PUAs). Depending on the specifics of the environment, the user base and security policies in place, PUPs are either tolerated or considered malicious in corporate networks. Depending on which view is taken of PUPs on a given network and the products in use, detections are often considered false positives. One of the main constituents of the PUP category is adware, frequently considered merely a nuisance. The details of Zacinlo may change that perception.

Zacinlo initially infects a system using a downloader component which claims to be a free VPN service named S5Mark. What it actually does is download and install other modules, including the rootkit component. Researchers discovered that 90% of recent infections occurred on Windows 10 systems, indicating the rootkit is effective at evading Windows 10 security protections, designed to harden the operating system against rootkits.

The rootkit’s function is to ensure that Zacinlo remains on the system as long as possible, by stopping other Zacinlo components from being read, written to or deleted. The rootkit’s driver is digitally signed using a certificate that has since been revoked. It also determines if various security products from vendors such as Malwarebytes, Symantec, Panda, Microsoft, Kaspersky and Bitdefender are present and prevents them from starting. During a system shutdown, it takes a somewhat novel step to ensure it is more difficult to locate. It will copy itself from memory to a file with a new name and then it updates the Windows registry key with the new name to ensure that it starts again.

Zacinlo’s main functions appear to be to display advertisements and to run a hidden browser to generate income for the attackers by clicking on more advertisements. It’s also capable of removing competing adware. There are two additional functions that make Zacinlo a greater potential threat than most adware. The first is a module that intercepts and manipulates web traffic, including HTTPS. This could be utilized to perform man-in-the-middle (MitM) attacks related to online banking and e-commerce, but seems to be currently used to inject advertisements into web pages. The second module is capable of taking screenshots, a common feature of malicious trojans, which could include sensitive information.

The capabilities and sophistication of Zacinlo demonstrates that the perceived line between adware and malware doesn’t, and probably shouldn’t, exist.

How Does It Propagate?

The malware does not contain the necessary code to self-propagate. In this case, the infection vector is the downloader component purporting to be a legitimate VPN application.

When/How Did BluVector Detect It?

Samples of Zacinlo’s rootkit component were randomly selected from a large list of file hashes included in the appendices of the Bitdefender report. BluVector’s patented Machine Learning Engine (MLE) detected them all. Regression testing has shown the samples would have been detected and average of 31 months prior to their release in late 2017 and early 2018.

All Threat Reports