A recent resurgence of an adware strain has begun targeting systems running on Windows 10. This adware, Zacinlo, has capabilities not typically found in adware and has been found to be active across the globe.
How does Zacinlo infect a system?
Bitdefender, a Romanian cybersecurity and antivirus software company, has been tracking components of this adware for years. Recently, in a 104-page whitepaper, they detailed how Zacinlo is believed to compromise systems. Zacinlo comes packaged in s5Mark, an application that claims to be a free VPN. Once s5mark is installed, the rootkit containing Zacinlo springs into action and silently installs its various components.
What is Zacinlo capable of?
What prompted Bitdefender’s detailed write-up on Zacinlo was a recent discovery of a rootkit that’s capable of installing itself on most Windows operating systems. This stood out to them because malware with rootkits are uncommon and Zacinlo could also hit systems running Windows 10, which specifically includes security defenses against rootkits. Once Zacinlo is on a system, it injects scripts onto browsers to display ads and manipulates antivirus software to avoid detection. It’ll also search for any other adware installed on the system and remove them in an effort to maximize its effectiveness.
Beyond just being adware, it appears that Zacinlo has spyware properties. It continuously takes screenshots of victims’ systems and transmits them to its command and control (C&C) server. Sensitive data or unsecured passwords might be caught in one of these screenshots, posing potential security concerns for the future. Zacinlo also evades most detection methods, and positions itself in such a way that it’ll retain control over the system, even after the operating system is restored from a backup.
Controlling Zacinlo
If Zacinlo isn’t already on one of your systems, the best way to avoid it and malware like it is to not download untrusted third-party applications. Zacinlo is very sophisticated and once it’s on a system, it situates itself in such a way that makes it difficult to detect. According to Bogan Botezatu, e-threat analyst at Bitdefender, “The rootkit driver can tamper with both operating system and anti-virus software, so it is better to run a scan in rescue mode rather doing it normally.”
In a coporate environment, IT security professionals and sysadmins alike should make sure they have proper security checks in place to detect whether any unidentified applications are being installed on their network. One way to handle this task is with an endpoint management solution.
How an endpoint management solution can defend against Zacinlo
Endpoint management solutions bring patch management, software deployment, and IT asset management all together. In cases like Zacinlo, an endpoint management solution can alert system administrators when a user installs s5mark, the application with the Zacinlo payload. The administrator can immediately remove this application from the network, prohibit it in the network, and block that particular EXE forever.
Endpoint management solutions can also perform the above tasks for any unknown application and can even defend against complex cyberthreats like man-in-middle attacks, waterhole attacks, DDOS attacks, and more.
Keep malware at bay with ManageEngine’s endpoint management solution, Desktop Central. Get a free, 30-day trial of Desktop Central and start managing your endpoints.