View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

This Sophisticated Spyware Supports Advertising Fraud, Pulls Ads from Google’s AdSense

Zacinlo also takes screenshots, runs an adware cleanup to get rid of competitors

By CBR Staff Writer

Cybersecurity specialist Bitdefender has identified an “extremely sophisticated piece of rootkit-based spyware” that has been running covertly since early 2012, the Bucharest-based company said on Monday; the second major item of spyware it has identified in recent weeks.

The malware, “Zacinlo”, infects users’ computers and either opens invisible browser instances to load advertising banners in it, then simulates clicks from the user, or it replaces ads loaded naturally inside the browser with the attacker’s ads in order to collect the advertising revenue.

Bitdefender said it uses several platforms to pull advertising from, including Google AdSense.

It also routinely takes screenshots of the screens of those infected and sends them to command-and-control centres. The vast majority of the samples tracked were spotted in the USA and, in much lower numbers, in France, Germany, Brazil, China, India, Indonesia, Philippines.

Runs on Windows 10

In a whitepaper published today by four security researchers at the company, Bitdefender said: “Last year we came across a digitally signed rootkit capable of installing itself on most Windows operating systems, including the newest releases of Windows 10.”

“Since rootkits these days account for under one percent of the malware output we see worldwide, this immediately drew our attention…We discovered an ample operation whose central component is a very sophisticated piece of adware with multiple functionalities.”

The adware has been active since 2012-2013, researchers Claudiu Coblis, Cristian Istrate, Cornel Punga and Andrei Ardelean said. The team has identified at least 25 different components found in almost 2,500 distinct samples.

Content from our partners
Green for go: Transforming trade in the UK
Manufacturers are switching to personalised customer experience amid fierce competition
How many ends in end-to-end service orchestration?

“While tracking the adware, we noticed some of the components were continuously updated with new functionalities, dropped altogether or integrated entirely in other components. This once again reinforces our initial assumption that the adware is still being developed as of the writing of this paper.”

 What’s Unique?

The main features of this adware that drew the company’s attention are:

– The presence of a rootkit driver that protects itself as well as its other components. It can stop processes deemed dangerous to the functionality of the adware while also protecting the adware from being stopped or deleted. The presence of  man-in-the-browser capabilities that intercepts and decrypts SSL communications. This allows the adware to inject custom JavaScript code into webpages visited by the user.

– It features an adware cleanup routine used to remove potential “competition” in the adware space.

– It takes screen captures of the desktop and sends them to the command and control center for analysis. This functionality has a massive impact on privacy as these screen captures may contain sensitive information such as e-mail, instant messaging or e-banking sessions.

Tricks Users via VPN Install

The adware components are silently installed by a downloader that is presented as a free and anonymous VPN service (s5Mark), distributed in an installer.

s5Mark has a simple graphical interface used as a decoy for the intrusive unwanted behavior taking place behind the scenes.

Once installed, Zacinlo can accommodate the installation of virtually any piece of software on the fly and thus extend its functionality.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.