Microsoft and a group of other security companies take legal and technical activities that disrupt the Zloader botnet. They managed to seize 65 domains used to control and communicate with the infected hosts.
Amy Hogan-Burney, general manager of Microsoft’s Digital Crimes Unit (DCU) stated on a blog page, “ZLoader is made up of computing devices in businesses, hospitals, schools, and homes around the world and is run by a global internet-based organized crime gang operating malware as a service that is designed to steal and extort money.”
Microsoft carried out the operation in collaboration with ESET, Lumen’s Black Lotus Labs, Palo Alto Networks Unit 42, Avast, Financial Services Information Sharing, and Analysis Center (FS-ISAC), and Health Information Sharing and Analysis Center (H-ISAC).
The domains after the disruption are not redirected to a sinkhole, this will prevent the botnet’s criminal operators from contacting the compromised devices. They also managed to confiscate another 319 backup domains generated via an embedded domain generation algorithm (DGA) as part of the same operation.
Zloader first appeared on the scene as a derivative of the Zeus banking trojan in November 2019. Later it underwent active refinements and upgrades that enabled other threat actors to acquire the malware from underground forums and repurpose it to suit their goals.
Microsoft said, “ZLoader has remained relevant as attackers’ tool of choice by including defense evasion capabilities, like disabling security and antivirus tools and selling access-as-a-service to other affiliate groups, such as ransomware operators. Its capabilities include capturing screenshots, collecting cookies, stealing credentials and banking data, performing reconnaissance, launching persistence mechanisms, misusing legitimate security tools, and providing remote access to attackers.”The transformation of ZLoader from a basic financial trojan to a sophisticated malware-as-a-service (MaaS) solution made it possible for the bad actors to monetize the compromises by selling the access to other affiliate actors. Later it is misused to deploy additional Cobalt Strike and ransomware.
Zloader campaigns are known to abuse phishing emails, remote management software, and rogue Google Ads to gain initial access to the targeted machines. Simultaneously implement several complex tactics to evade defense, this includes injecting malicious code into legitimate processes.
ESET added, “ZLoader’s ability to deploy arbitrary payloads to distribute malicious payloads to its bots.”
Denis Malikov, from the city of Simferopol on the Crimean Peninsula, was identified by Microsoft as one of the actors behind the development of a module used by the botnet to distribute ransomware strains. They made his name public, to “make clear that cybercriminals will not be allowed to hide behind the anonymity of the internet to commit their crimes.”
Microsoft said, “Like many modern malware variants, getting ZLoader onto a device is oftentimes just the first step in what ends up being a larger attack. The trojan further exemplifies the trend of common malware increasingly harboring more dangerous threats.”