A rootkit-based malware disguised as a free VPN service has infected at least thousands of Windows PCs, according to Romanian cybersecurity and antivirus software company BitDefender.
The group behind the Zacinlo strain of malware has been active since 2012, but over the past two years, added a rootkit component to it. This allowed the security threat to infiltrate Windows 10 machines, which make up 90 percent of Zacinlo's recent victims.
Zacinlo Malware: Here's How Bad It Is
BitDefender released a whitepaper on Zacinlo, which it claims has been in operation covertly since early 2012.
In detailing Zacinlo's operations, BitDefender identified that the malware's adware components are secretly installed by a downloader that is disguised as the free VPN service S5Mark. The VPN app, which serves as a proxy, serves as the initial point of infection that downloads the rest of Zacinlo's modules.
The most important module is the rootkit, which is a type of malware that can manipulate the target machine's operating system and anti-malware software. Once the rootkit is downloaded, the adware will survive on an infected machine up to years.
Once Zacinlo is embedded in a computer, the things that it can do include injecting custom Javascript into webpages that the user visits, redirecting pages in browsers, loading websites in hidden windows, injecting ads, taking and sending screenshots to the attackers, and concealing itself by copying encrypted versions across the PC. Zacinlo is also able to intercept even encrypted communications, which will allow attackers to tamper with online payments.
Zacinlo has been spreading for the past six years, with most of its victims in the United States. However, the malware has also been spotted in countries such as Brazil, China, France, Germany, India, Indonesia, and the Philippines.
How To Protect Yourself Against Zacinlo
The first step in protecting a computer from being infected with Zacinlo is the general rule against malware, and that is to never download shady software. If a free app promises functions usually limited to paid apps, then it should be considered a suspicious one. Ironically, S5Mark promises to protect the online activity of users, when in fact, it injects malware into their computers.
Removing Zacinlo from a PC is difficult, but not impossible. The best method would be to use an antivirus rescue disk, which uses an optical disk or USB stick to boot the computer into a custom Linux that scans the hard drive without running Windows.