Security researchers have uncovered a massive, six-year-long adfraud campaign dubbed Zacinlo. Over the years, the operators behind Zacinlo have been constantly updating their malware and consistently added components designed to harvest victims’ data and resist removal. Zacinlo is now considered to be a highly sophisticated piece of spyware that has been making money for its operators and compromising victims’ privacy since 2012.
According to security researchers at Bitdefender, there are over 25 components to the malware which were found in around 2,500 samples. The malware’s components have either been continually updated with new functionalities to integrate other components or dropped completely. Bitdefender researchers believe this indicates that the adware is still being developed by its operators.
What features does Zacinlo have?
The malware comes packed with a rootkit driver, which is a significant component that provides protection for other components and blocks antimalware services. The rootkit driver also allows the malware to inject custom code into webpages.
The malware includes other components such as an adware clean-up routine that wipes out other adware families that can pose a competition to Zacinlo.
Zacinlo can also take screenshots of the infected system’s desktop screen and send it to the C2 server. Moreover, the adware can automatically update and incorporate any other kind of software, which increases its range of expansion. Zacinlo also adds or replaces advertisements “while browsing by searching DOM objects by size, style, class or specific regular expressions”. The adware also uses several other platforms to pull adverts, including Google AdSense.
Who is Zacinlo targeting?
The adware is currently primarily targeting victims in the US. However, Zacinlo has also been spotted targeting other countries such as Germany, France, Brazil, China, India, Philippines and Indonesia. Bitdefender researchers found that a majority of the attacks - around 90% - targeted users running Windows 10 computers, while a small portion targeted users running Windows 7 and 8.
What can Zacinlo do?
“Components of this campaign seem to date back as far as 2012 but it appears the adware was most active in the final months of 2017,” Bitdefender researcher wrote in a blog. “The central piece of the adware is probably the rootkit driver, which is responsible for providing persistence and protection for the other components from being read, written or deleted. It is also used to patch or block antimalware services.”
The adware’s antimalware feature blocks products developed by Bitdefender, Qihoo, Kingsoft, Malwarebytes, Symantec, Panda, HitmaPro, Avast, Avg, Microsoft, Kaspersky, Emsisoft and Zemana.
According to researchers, some of the malware’s droppers and downloaders install more components, “several of which are interconnected and will check for the presence of other components”. Even in the event that these components are not installed, they are still downloaded and set as persistent to survive any reboots. Some of the malware’s components are designed to collect more data about the system, take screenshots and send the data to the C2 server, while other components can kill processes.
“Apparently, not only security solutions are targeted but other adware processes as well. The targeted adware is not specific, but belongs to many different families,” Bitdefender researchers said. “We presume that the operators of Zacinlo are either competing against other adware rings or just fighting for system resources as the page rendering, browsing pages and videos consumes significant CPU cycles and network bandwidth.”