Cybersecurity specialist Bitdefender has identified an “extremely sophisticated piece of rootkit-based spyware” that has been running covertly since early 2012, the Bucharest-based company said on Monday; the second major item of spyware it has identified in recent weeks.

The malware, “Zacinlo”, infects users’ computers and either opens invisible browser instances to load advertising banners in it, then simulates clicks from the user, or it replaces ads loaded naturally inside the browser with the attacker’s ads in order to collect the advertising revenue.

Bitdefender said it uses several platforms to pull advertising from, including Google AdSense.

It also routinely takes screenshots of the screens of those infected and sends them to command-and-control centres. The vast majority of the samples tracked were spotted in the USA and, in much lower numbers, in France, Germany, Brazil, China, India, Indonesia, Philippines.

Runs on Windows 10

In a whitepaper published today by four security researchers at the company, Bitdefender said: “Last year we came across a digitally signed rootkit capable of installing itself on most Windows operating systems, including the newest releases of Windows 10.”

“Since rootkits these days account for under one percent of the malware output we see worldwide, this immediately drew our attention…We discovered an ample operation whose central component is a very sophisticated piece of adware with multiple functionalities.”

The adware has been active since 2012-2013, researchers Claudiu Coblis, Cristian Istrate, Cornel Punga and Andrei Ardelean said. The team has identified at least 25 different components found in almost 2,500 distinct samples.

“While tracking the adware, we noticed some of the components were continuously updated with new functionalities, dropped altogether or integrated entirely in other components. This once again reinforces our initial assumption that the adware is still being developed as of the writing of this paper.”

 What’s Unique?

The main features of this adware that drew the company’s attention are:

– The presence of a rootkit driver that protects itself as well as its other components. It can stop processes deemed dangerous to the functionality of the adware while also protecting the adware from being stopped or deleted. The presence of  man-in-the-browser capabilities that intercepts and decrypts SSL communications. This allows the adware to inject custom JavaScript code into webpages visited by the user.

– It features an adware cleanup routine used to remove potential “competition” in the adware space.

– It takes screen captures of the desktop and sends them to the command and control center for analysis. This functionality has a massive impact on privacy as these screen captures may contain sensitive information such as e-mail, instant messaging or e-banking sessions.

Tricks Users via VPN Install

The adware components are silently installed by a downloader that is presented as a free and anonymous VPN service (s5Mark), distributed in an installer.

s5Mark has a simple graphical interface used as a decoy for the intrusive unwanted behavior taking place behind the scenes.

Once installed, Zacinlo can accommodate the installation of virtually any piece of software on the fly and thus extend its functionality.