CyberWire Daily - Stealthy ad fraud campaign evades detection. [Research Saturday]
Episode Date: August 18, 2018Researchers at Bitdefender have been tracking a bit of complex rootkit malware called Zacinlo that they suspect has been operating virtually undetected for over six years. Bogdan Botezatu is a senior ...cyber security analyst with Bitdefender, and he describes what they've found. Research link: https://labs.bitdefender.com/2018/06/six-years-and-counting-inside-the-complex-zacinlo-ad-fraud-operation/ Â Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and
analysts tracking down threats and vulnerabilities and solving some of the hard problems of
protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface
with public-facing IPs that are exploited by bad actors
more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust plus AI stops attackers
by hiding your attack surface,
making apps and IPs invisible,
eliminating lateral movement,
connecting users only to specific apps,
not the entire network,
continuously verifying every request
based on identity and context,
simplifying security management
with AI-powered automation,
and detecting threats using AI
to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
Well, we identified Zatchinlo a little bit earlier.
Last year, I think it was mid-year.
That's Bogdan Bodazatu from Bitdefender.
He's a senior research analyst,
and the research we're discussing today is titled
Six Years and Counting Inside the Complex Zaccinlo Ad Fraud Operation.
Well, we were looking for some samples that look to be a rootkit.
That's what we were after.
So we were looking through our malware zoo, looking for similar samples to a rootkit we
had under the microscope.
And we realized that we had some samples for quite a while that we didn't look at.
So when we opened them up, we realized that
they had not been documented before. I see. It took us about a year to carry this research
because of the sheer complexity of the malware. Yeah, and it is a complex bit of malware. So let's
begin at the beginning here. Walk us through what's going on here and how does one find themselves infected? The initial attack avenue looks to be a fake VPN solution that the user downloads,
hoping to have their web traffic shielded from snooping. However, under the fake interface,
there's nothing that provides a VPN service, but rather a complex downloader that brings all these components to the user's computer and then starts mining for ads and clicking discretionarily on
these ads. So there isn't actually a real VPN running, it's just a fake interface.
Exactly. And what we saw in our telemetry is that it mostly affects United States customers along with several other
countries. We presume that this VPN application has been advertised. Hackers have kind of created
some marketing campaigns around them, maybe some landing pages, maybe they bought some advertising
leading people to this download, maybe some social media advertising and so on, because the malware is strictly spread
across several countries, while other countries do not see any traces of this incident.
Interesting. Well, let's walk through it step by step here. So someone, they install what they
think is this VPN software, and that's when the malware kicks into gear. What happens?
The malware brings some extra components on the system,
some of them being related to displaying ads,
and some of them being related to cloaking the malware from the operating system
or from the antivirus itself.
And this was the part that actually caught our attention
because there are several families of advertising fraud bots spread across the Internet,
but none of them seems to be as resilient or as difficult to remove as this family of malware.
This is something that you don't see often when working in cybersecurity.
Rootkit-based malware is still under 1% of the global amount of infections we
see. That's why we treat it as a special day when we see rootkit-based malware working on Windows 10,
for instance. And it does focus on Windows 10. So once it gets installed, what happens next?
The user will have no idea what's happening because the malware is very, very optimized for
silence. Unlike crypto ransomware, for instance, which displays immediate signs of infection,
this piece of malware can only produce money for its owners for as long as it runs on the computer.
So the longer the detection time frame, the more money it's able to make for the bad guys.
the detection timeframe, the more money it's able to make for the bad guys.
It stays silent and undetected.
It does a security sweep of your computer to see if you're infected with other malware or not.
If it finds competing AdWare products on the computer,
it will try to uninstall them in order to make sure that it gets the most attention.
And by most attention, I mean that it redirects all the computing power towards what it's instructed to do. It opens up browsers in invisible windows, and it starts
loading the hackers' ads inside. It has a very nice feature because it mimics user behavior.
In those invisible browsers, it displays content along with the hackers' ads, and it mimics like there's a
human person looking at the browser's window. It scrolls up, down, it underlines words, and so on,
in order to trick the machine learning algorithms trained to spot fraud. It impersonates basically
the human's behavior to trick the advertiser's anti-fraud detection mechanisms into thinking that that's legitimate behavior coming from the user.
Of course, it clicks on those ads from time to time,
and each click on the ad gets it a cut of the commission.
So that's how they're making money, is by generating these artificial click-throughs.
Yes, this behavior is called advertising click fraud,
and it has been around for a while. But the Zatchinlo malware takes it to a whole new level. It's much more
sophisticated, it's extremely configurable, and this is what made it last for so long.
The malware has operated for the past six years undetected. Even if security solutions at some point might have caught it,
it didn't draw enough attention to warrant a full review of the malware. So maybe it was mistaken as
a generic trojan, or maybe it was labeled as a traditional ad fraud abuser. But what's inside
of the Chendo is basically a technological gold mine. It can conceal itself
from the operating system. It can impact the antivirus's operation on that machine. It looks
for specific processes and tries to kill them in order to stay undetected. Most likely, it is very
effective because judging by the number of updates we've seen, more than 2,500 updates in the past
six years, this operation requires heavy maintenance. And hackers have put a lot of
effort into improving it, into maintaining it, making sure that it's tested and it works great.
So they have some sort of quality assurance processes. Maintaining this kind of malware is expensive.
So probably they're getting a lot of revenue
by just operating them to justify the effort.
And I suppose they may be investing in advertising this fake VPN.
So they may be putting some money out there as well.
Yes.
In the business world, in the real business world,
you have to fork out money to make money.
And this happens to the cybercrime ecosystem as well. More and more cybercriminal groups
actually operate like businesses. For instance, they advertise themselves or they invest a lot
of money in getting high quality translations for ransomware, for instance, that goes international.
And it has to be localized into the user's native language
to maximize the revenue and so on.
So yes, I think that there's a lot of effort
cybercriminals have put into developing,
maintaining, and advertising this strain of malware.
Now, this malware has some fairly sophisticated methods
for maintaining persistence.
Can you take us through what's going on there?
Yes. The first thing that's noticeable is the way the rootkit protects the entire malware and its files.
It's the first step towards persistence because just by shielding it with such an advanced technology,
the antivirus solution cannot detect and block any of its components.
solution cannot detect and block any of its components.
Secondly, in order to minimize the noise,
the malware makes a lot of use of the Windows registry to store configuration files, to store binary files,
and to make sure that there's no file left
when a reboot or a shutdown operation is initiated.
It dissolves itself by overwriting all the files with zeros.
So in case of a forensic analysis between these starts, for instance, there's no traces left behind for a security
company, for instance, to analyze. This is quite an advanced job that we rarely see in commercial
deployments of malware. So it's loading itself into RAM when the system boots and then operating, and then on shutdown,
it scrubs the files that it loaded from and then rewrites random files.
Am I following you correctly there?
Yes, exactly.
It creates new files in new locations in order to perpetuate this infection.
So even if you knew the previous locations
where the malware hides its files,
after a new restart,
most of the files will be located somewhere else.
It gives the security solution a run for its money
while it's operating.
And how does it go about evading antivirus
and other security solutions?
The first thing that the malware does
is looking for processes
that are known to be associated with security solution.
It looks inside the process's memory for strings
that might give away the fact that they're a security solution.
Secondly, it looks at the digital certificates of the processes running into the memory
and looking for known vendors of security solutions.
And because it has tremendous access to the operating system's kernel,
the malware can actually shut the security solution down
or at least cripple several of its processes
in order to make sure that the anti-malware solution
does not run a scan on those files.
Now, what is going on in terms of communications with the command and control server?
The communication with the command and control server is extremely complex.
The malware has several components that talk to the command and control center,
trying to get new campaigns, making sure that the bots installed on the computer
are running the latest version available,
and they download the new versions if the bots are outdated.
There's also an extremely well-written framework that acts as a downloader
to minimize the noise it creates on the computer.
It uses a scripting language that's called Lua,
which is not the go-to tool for writing this kind of updaters,
just to make sure that it doesn't look suspicious to the antivirus when it downloads files from the command and control center.
It also reports to the command and control center the user's configuration, some machine-specific things, and the operating system the user installs.
Additionally, it also sends screenshots to the command and control center.
This is extremely unusual for a piece of aggressive adware.
It's more accustomed to e-banking trojans or to advanced persistent threats.
But we presume that it's not intended for data exfiltration,
but rather to make sure that the malware does not crash. By sending screenshots every several
minutes to the command and control center, the malware tells the crooks that there are no browser
windows visible, that shouldn't be visible, that the malware does not generate errors,
that there's no security solution installed and blinking all the lights red
on the victim's computer and so on. And the last part of the command and control center handles
the way ads get delivered. These hackers have put up a very interesting mechanism that updates the
advertising campaigns in real time. The command and control center sends what ads
should be displayed and clicked by the malware. And it also sends the publisher IDs that should
get the revenue for these click-throughs. So hackers have some sort of a fail-back mechanism.
If one of the advertiser IDs get blocked for abuse, they will send different
advertiser IDs to cash the money. Now, given the sophistication of what's going on here,
what are your notions in terms of attribution? Do you have any sense for who's behind this?
It's very difficult to tell because it targets a wide range of geographies from the United States
to Indonesia. It's very hard to tell who is behind it.
Secondly, this is a commercial threat.
So it doesn't use or reuse techniques or tactics that we have seen in the past used in advanced persistent threats or in different malware families.
It looks like it's a standalone operation that is operated by somebody who didn't have any contact or didn't have any previous operations that we know of.
That's the beauty of advertising fraud.
These guys can be pretty much anywhere in the world and targeting different countries.
So it's very difficult to attribute it to a specific actor or to a specific country.
So what are your recommendations in terms of people protecting themselves against this?
First and foremost, good protection starts with good prevention.
The first and most effective way of staying safe is having a security solution
that's able to intercept that fake VPN installer in the first place.
Secondly, when it comes to this specific attack, a rootkit-based piece of
malware can compromise the system and the antivirus running on top of it. So it's very
difficult to remove it unless you either format the computer and install a new operating system
from scratch, or you use a live CD to boot a security solution in rescue mode
and run a system scan outside of the operating system.
The operating system will lie to the antivirus and to the user
as to whether it's infected or not,
because that's the mission of the rootkit,
to conceal the infection from the security solution and from the user.
That's why we highly recommend that the users get a bootable USB drive
or a live CD if they have a CD slot on their machines
and boot from that live CD or USB drive to initiate a scan.
Now, is there an easy way for someone to check to see if they're infected by this?
The only way that would work 100% is to
use a live CD. By initiating a scan from inside the operating system, you wouldn't get accurate
results. But be aware that whenever your antivirus behaves erratically or your computer is sluggish,
this could be a telltale sign of infection. So if you have any doubts, you should run a live CD.
Some antivirus solutions have the option of rebooting in a rescue mode from the user interface,
so there's no need to burn a CD or create a USB installer
if your antivirus solution supports booting into a rescue mode.
Now, what is your sense for how widespread this is?
And is it hitting specific
types of systems and are other types of systems not at risk? We have seen it working on most
modern operating systems. Oddly enough, all the reports show that most of the victims run Windows
10, Windows 8, Windows 8.1, or Windows 7. We don't have one single victim that runs Windows XP, for instance.
Normally, you would expect these kinds of threats to affect obsolete operating systems or
unsupported operating systems. It's a good sign that hackers are riding on the adoption wave of
modern operating systems and they are developing with the new platforms in mind. So they're
aligning their creations to the newest operating systems
to make sure that they make the most out of the new systems.
Also, most likely, whoever got Windows 10 installed on the computer,
chances are that they have a very new and very powerful computer
that has much more resources that can be redirected to advertising fraud
than other people running Windows XP, for instance.
Our thanks to Bogdan Borozatu from Bitdefender for joining us.
The research is titled Six Years and Counting Inside the Complex Zaccinlo Ad Fraud Operation.
We'll have a link to it in our show notes.
You can also find it on the Bitdefender website.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Bond,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Valecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilby, and I'm Dave Bittner. Thanks for listening.