Zacinlo

Zacinlo is a rootkit with both covert adware and spyware features, with the emphasis on the former. It may generate 'invisible' advertisements in hidden windows or hijack preexisting advertising content on your browser's Web pages. Since this threat is highly invasive and has sophisticated stealth features, any users suspecting its presence should boot their PCs from recovery disks or USBs before uninstalling Zacinlo with an updated anti-malware tool.

The Adware You will not See While It Works

Although the Venn diagram of adware and rootkits consists of two rarely overlapping circles, sometimes, malware experts find rootkit-based threats that do include some unsafe advertising features. One of the elderly and most important of these rootkits to date is Zacinlo, which is over half a decade old but has been evading threat databases for years, thanks to its sophisticated stealth features and limited distribution.

Zacinlo is installing itself through fake Virtual Private Network or VPN software, which imitates the network virtualization features while serving as a delivery vehicle for the rootkit, and may be taking advantage of corrupted advertisements for exposing itself to new PCs. The rootkit, which malware analysts are confirming as being compatible with most versions of Windows, is dominant on Windows 10 systems particularly and includes features for passing information over to a Command & Control server, anti-security defenses and loading non-consensual advertisements.

Zacinlo, like any good rootkit, loads automatically and silently, and can run the following attacks, among others:


• Hidden background windows provide undetectable locations for Zacinlo's loading of additional advertisements, with the money going to affiliates that include, presumably, the rootkit's threat actors.
• Zacinlo also monitors any normally-loading Web pages for advertising content, which it may replace with its ads.
• Threat actors also have some access to the PC's confidential information via screenshots, which Zacinlo takes automatically.
• Zacinlo also may uninstall or install other programs at will, as per the instructions of its C&C server.

Taking Care of the Ads That You Can't See

While invisible advertisements may sound like a non-problem to some users, Zacinlo's ad-loading features can expose the PC to other, malicious content, including infection vectors for other threats. Its capacity for collecting confidential information also is potentially high, even though it takes a 'support role' in the rootkit's payload, and malware analysts have yet to observe the inclusion of any keylogging or Man-in-the-Middle attacks. Finally, like all rootkits, Zacinlo infections have significantly detrimental implications for the PC's security.

In spite of its age, Zacinlo is maintaining an active development status, and its authors are removing and adding features frequently. The rootkit's peak distribution, so far, dates to late 2017. The users can block advertisements and avoid unsafe VPN-themed downloading resources for protecting themselves, and many anti-malware products should block its infection vectors by default. Users believing their PCs compromised should use an emergency boot-up device to circumvent the rootkit before removing Zacinlo with a suitable anti-malware product.

Adware being as harmful as Zacinlo, which leverages its technical prowess for working around preexisting security solutions, is a rarity. With even the latest versions of Windows at risk, there's all the reason in the world to watch what you expose your browser to on the Web.