Adware stuffed into software you can freely download from the internet can secretly take screenshots of your desktop among other sneaky spyware-like capabilities. Dubbed as Zacinlo by Bitdefender, the adware first surfaced in 2012 and mostly targets Windows 10 PCs in North America. The adware was in its most “active” state at the beginning of 2018 since it emerged six years ago.
Software you can download and use for free sometimes present free secondary software options during installation that you can use or decline. This secondary software is typically bundled to appease “sponsors” supposedly backing the free program you set out to download and install. Although free software can be good for your wallet, bundled software presented during installation could prove catastrophic.
In this case, the adware poses as a free anonymous virtual private network (VPN) client called s5Mark you can install alongside the original software you intended to use. This VPN client provides a simple easy-to-read interface designed for non-technical web surfers.
But that client is just a decoy. When the Windows 10 device owner runs the fake VPN client for the first time, it downloads the actual adware components along with a rootkit: Malware that resides at the root of your PC before loading Windows 10. There is also another component called an “updater” that receives instructions and makes updates to the adware and rootkit when needed.
During installation, the adware will temporarily disable Windows Defender. It can also detect and temporarily disable antivirus solutions from 13 different providers including Bitdefender, Kaspersky, Malwarebytes, Panda, Symantec, and more. The rootkit component is what scans the PC for an antivirus client in the initial installation stages and temporarily shuts them down so the remaining adware components download to the PC.
The list of what Zacinlo can do is rather lengthy outside the screen capture component. It can stop processes in Windows 10 it deems as “dangerous” to its overall functionality. It can also inject custom JavaScript into secure HTTPS webpages visited by the device owner, re-direct web pages, send information about the desktop environment back to the hackers in charge of the campaign, uninstall and delete any Windows 10 service, and more.
“We have identified at least 25 different components found in almost 2,500 distinct samples,” the security firm states. “While tracking the adware, we noticed some of the components were continuously updated with new functionalities, dropped altogether or integrated entirely in other components. This once again reinforces our initial assumption that the adware is still being developed as of the writing of this paper.”
According to Bitdefender’s whitepaper, the winscr.exe component installed by the adware is what takes screenshots of your desktop. It can also send the hackers a list of the file locations of the applications that are set to run automatically when Windows starts and delete files used by processes and services. Other components in the adware’s payload include dataup.exe, regtool.exe, homepageoptimizer.exe, and more.
The big red flag here is that despite infecting Windows-based PCs since 2012, the spyware won’t infest your PC unless you allow its installation.