In a global operation, Microsoft disrupts the ZLoader cybercrime botnet

The ZLoader botnet was disrupted by Microsoft and a consortium of cybersecurity companies that gained control of 65 domains used for control and communication.

Microsoft’s Digital Crimes Unit (DCU) general manager Amy Hogan-Burney said that the ZLoader malware is spread through computing devices in businesses, hospitals, schools, and homes around the world by a global internet-based gang.

Avast, Palo Alto Network’s Unit 42, ESET, Lumen’s Black Lotus Labs, Health Information Sharing and Analysis Center (H-ISAC), and Financial Services Information Sharing and Analysis Center (FS-ISAC) participated in the operation, Microsoft said.

The domains have been redirected to a sinkhole as a result of this disruption, effectively preventing the botnet’s criminal operators from contacting compromised devices.As part of the same operation, 319 backup domains created by embedded domain generation algorithms (DGAs) have also been seized.

ZLoader, like its notorious counterpart TrickBot, started off as a derivative of the Zeus banking trojan in November 2019 before undergoing active refinements and upgrades that have enabled other threat actors to purchase the malware from underground forums and repurpose it to suit their goals.

“ZLoader has remained relevant as attackers’ tool of choice by including defense evasion capabilities, like disabling security and antivirus tools, and selling access-as-a-service to other affiliate groups, such as ransomware operators,” Microsoft said.

“Its capabilities include capturing screenshots, collecting cookies, stealing credentials and banking data, performing reconnaissance, launching persistence mechanisms, misusing legitimate security tools, and providing remote access to attackers.”

ZLoader’s transition from a basic financial trojan to a sophisticated malware-as-a-service (MaaS) solution has also made it possible for the operators to monetize the compromises by selling the access to other affiliate actors, who then misuse it to deploy additional payloads like Cobalt Strike and ransomware.

Campaigns involving ZLoader have abused phishing emails, remote management software, and rogue Google Ads to gain initial access to the target machines, while simultaneously using several complex tactics for defense evasion, including injecting malicious code into legitimate processes.

Interestingly, an analysis of the malware’s malicious activities since February 2020 has revealed that most of the operations originated from just two affiliates since October 2020: “dh8f3@3hdf#hsf23” and “03d5ae30a0bd934a23b6a7f0756aa504.”

While the former used “ZLoader’s ability to deploy arbitrary payloads to distribute malicious payloads to its bots,” the other affiliate, active to date, appears to have focussed on siphoning credentials from banking, cryptocurrency platforms, and e-commerce sites, Slovak cybersecurity firm ESET said.

To top it all, Microsoft also unmasked Denis Malikov, who lives in the city of Simferopol on the Crimean Peninsula, as one of the actors behind the development of a module used by the botnet to distribute ransomware strains, stating that it chose to name the perpetrator to “make clear that cybercriminals will not be allowed to hide behind the anonymity of the internet to commit their crimes.”

The takedown effort is reminiscent of a global operation to disrupt the notorious TrickBot botnet in October 2020. Although the botnet managed to bounce back last year, it has since been retired by the malware authors in favor of other stealthy variants such as BazarBackdoor.

“Like many modern malware variants, getting ZLoader onto a device is oftentimes just the first step in what ends up being a larger attack,” Microsoft said. “The trojan further exemplifies the trend of common malware increasingly harboring more dangerous threats.”

Some sections of this post are sourced from:

Add a Comment

Your email address will not be published. Required fields are marked *