Zacinlo Rootkit Adware

Zacinlo is an adware trojan that uses rootkit functionality to gain persistence across operating system re-installations.

At the time of publication, Zacinlo is delivered through a seemingly legitimate VPN application. When installed this application instead acts as a proxy and downloader, initiating communications with a command and control server (C2) and retrieving the malware packages.  The rootkit also comes with a self-upgrade feature which helps it to update itself to the latest version of the software.

When installed, Zacinlo’s modules provide it with a wide range of capabilities including advert injection using man-in-the-middle attacks over HTTPS, traffic redirection and installing other malware.

Zacinlo’s main functions appear to be to display advertisements and to run a hidden browser to generate income for the attackers by clicking on more advertisements. It’s also capable of removing competing adware.

The vast majority of Zacinlo victims are in the US, with 90 percent of those infected running Microsoft Windows 10. There are also victims in other regions of the world, including Western Europe, China and India. A small percentage of victims are running Windows 7 or Windows 8.

Zacinlo’s rootkit module is also used to prevent or disable processes deemed dangerous to its operation, such as anti-virus programs or security services.

Affected Platforms

• Microsoft Windows – Versions 7, 8, 8.1 and 10