Microsoft and a consortium of cybersecurity companies have taken legal and technical steps to address the ZLoader botnetthereby taking control of 65 domains used to control and communicate with the infected hosts.
“ZLoader consists of computing devices in businesses, hospitals, schools and homes around the world and is operated by a global, internet-based organized crime gang that operates malware as a service designed to steal and extort money,” Amy said Hogan-Burney, general manager of Microsoft’s Digital Crimes Unit (DCU), said.
The operation, Microsoft said, was carried out in collaboration with ESET, Lumen’s Black Lotus Labs, Palo Alto Networks Unit 42, Avast, the Financial Services Information Sharing and Analysis Center (FS-ISAC) and the Health Information Sharing and Analysis Center ( H-ISAC) carried out ).
As a result of the disruption, the domains are now redirected into a sinkhole, effectively preventing the criminal operators of the botnet from contacting the compromised devices. Another 319 backup domains generated via an embedded domain generation algorithm (DGA) were also seized as part of the same operation.
ZLoader, like its infamous TrickBot counterpart, started out as a derivative of the Zeus banking Trojan in November 2019, before undergoing active refinements and upgrades that have allowed other attackers to purchase the malware from underground forums and repurpose it for their purposes.
“ZLoader has remained relevant as the tool of choice for attackers, integrating defense evasion capabilities like disabling security and antivirus tools, and selling Access-as-a-Service to other connected groups like ransomware operators,” Microsoft said.
“Its abilities include capturing screenshots, harvesting cookies, stealing credentials and banking information, conducting reconnaissance, launching persistence mechanisms, abusing legitimate security tools, and providing attackers with remote access.”
ZLoader’s transition from a simple financial trojan to a sophisticated malware-as-a-service (MaaS) solution has also allowed operators to monetize the trade-offs by selling access to other affiliate actors, who then abuse it to provide additional payloads such as Cobalt Strike and ransomware.
Campaigns using ZLoader have abused phishing emails, remote management software, and deceptive Google ads to gain initial access to the targeted computers, while simultaneously employing several sophisticated tactics to bypass defenses, including injecting malicious code into legitimate processes.
Interestingly, an analysis of the malware’s malicious activities since February 2020 has revealed that most operations since October 2020 originated from only two affiliates: “dh8f3@3hdf#hsf23” and “03d5ae30a0bd934a23b6a7f0756aa504”.
While the former “used ZLoader’s ability to serve arbitrary payloads to distribute malicious payloads to its bots,” the other subsidiary, which remains active to this day, appears to have focused on bank credentials, cryptocurrency platforms, and e-commerce websites, the Slovak cybersecurity firm said ESET.
To make matters worse, Microsoft also exposed Denis Malikov, who lives in the Crimean peninsula city of Simferopol, as one of the actors behind the development of a module used by the botnet to distribute ransomware strains, stating that it is suitable for the Names have decided perpetrators “to make it clear that cyber criminals must not hide behind the anonymity of the Internet in order to commit their crimes”.
The takedown effort commemorates a global operation to disrupt the infamous TrickBot botnet in October 2020. Although the botnet bounced back over the past year, it has since been retired by malware authors in favor of other stealthy variants like BazarBackdoor.
“As with many modern malware variants, getting ZLoader onto a device is often just the first step, leading to a larger attack,” Microsoft said. “The Trojan is another example of the trend that common malware harbors increasingly dangerous threats.”