The IT security researchers at Bitdefender have discovered a sophisticated and persistent malware stealing data and monitoring online activities of Windows users particularly Windows 10 and in some cases Windows 7 and Windows 8.
Dubbed Zacinlo by researchers; the malware has been active since 2012-2013 but the latest research [PDF] from Bitdefender highlights how it is currently targeting the majority of users in the United States and some in China, India, France, Brazil, Germany, Indonesia, and the Philippines.
The malware is equipped with several capabilities including installing itself on a targeted system, spamming the system with advertisements whenever a victim visits a website, opening multiple browser sessions and replacing legitimate ads on a website with ads it receives from the command and control (C&C) – It does not end here, malware authors also configure how ads should be displayed so that victims can click on them and malware authors can generate revenue.
“Their aggressiveness is highly configurable. Some ads can be configured to have a close button or fade away after some time while others can not be closed,” noted Bitdefender.
Furthermore, Zacinlo gains admin privileges on the targeted device which makes it nearly impossible to get rid of however what makes this malware exceptional is its rootkit capabilities (like VPNFilter malware) meaning that it is spread through rootkit which is a set of malicious software tools that enable an unauthorized user to gain control of a computer system without being detected.
“Since rootkits, these days account for under 1 percent of the malware output we see worldwide, this immediately drew our attention and prompted us to carry out an extensive analysis of the payload, its origins, and the spread. We discovered an ample operation whose central component is a very sophisticated piece of adware with multiple functionalities,” explained researchers.
Another alarming feature of Zacinlo is that it takes screenshots of user’s online activities and send it to the command and control. This poses a massive privacy threat to victims since malware authors are not only looking for revenue through ads but also aiming at their login credentials and browsing activities, personal data including photos, videos, important or sensitive files.
Moreover, researchers have identified that Zacinlo is currently being spread through a fake free VPN service called s5Mark. The victim believes that they have installed a free VPN on their system but in the background, it installs Zacinlo payload that uses popular browsers like Edge, Internet Explorer, Firefox, Chrome, Opera, Safari, etc to hijack secured web connections using MITM attack methods.
Windows users are advised to refrain from installing third-party apps on their system and avoid visiting unknown websites. The full list of malicious domains distributing this campaign is available in Bitdefender’s report [PDF] – To learn how to remove S5Mark installation follow this link.