itman 1,758 Posted July 1, 2018 Share Posted July 1, 2018 (edited) Bitdefender recently published a whitepaper on Zacinlo malware which can be downloaded from here: https://labs.bitdefender.com/wp-content/uploads/downloads/six-years-and-counting-inside-the-complex-zacinlo-ad-fraud-operation/ . Besides deploying a rootkit in the form of a validily signed device driver, the signing cert. now thankfully revoked, one of Zacinlo malware components was s5Mark, a fake VPN utility. Appears s5Mark has been around for some time. Using the hashes for s5Mark provided in the whitepaper, I noticed that Eset per VirusTotal lookup did not detect any of its components; even the installer. I don't want to make a big deal about the VT non-detection since we have discussed that might not be fully representative of Eset's detection capability. However, I would like to know if Eset is flagging s5Mark as at least a UA/PUA since it has been deployed in other malware incidents. s5Mark Hashes 51960b69f4a7c96af835ec71057b86be945983ed 4ddbbcebc348eb9f6a79886d01e4ee270018f259 5ee4ebf7e423e3e143cd286b048c04372c606bca 00caa31ec14bd478e70583f6f41c6a685629d9ee a3b68f42db720583aa9a8f704b172c944ad96627 867515f594b589ac311508e7b5dc369ece04624a 615f2e8e9a4bb7ba9d4eb06d11834060a741adc2 Edited July 2, 2018 by itman Link to comment Share on other sites More sharing options...
itman 1,758 Posted July 2, 2018 Author Share Posted July 2, 2018 (edited) I will also add that the "adware" version of s5Mark that surfaced last year employed a SmartService component used to disable AV processing. This version of SmartService; i.e. file hash - 1d4236b3c446c1ab86c577615cc52d4edc99bf5b4077cd93e6cd37b90d6991a0, was deployed through a separate installer which Eset detects. It appears that this latest malware "weaponized' version of s5Mark no longer deploys a separate installer for SmartService but instead installs its components via the s5Mark installer. Edited July 2, 2018 by itman Link to comment Share on other sites More sharing options...
Recommended Posts