Microsoft Disrupts ZLoader Cybercrime Botnet in Global Operation

Microsoft and a consortium of cybersecurity companies took legal and technical steps to disrupt the ZLoader botnet, seizing control of 65 domains that were used to control and communicate with the infected hosts.

“ZLoader is made up of computing devices in businesses, hospitals, schools, and homes around the world and is run by a global internet-based organized crime gang operating malware as a service that is designed to steal and extort money,” Amy Hogan-Burney, general manager of Microsoft’s Digital Crimes Unit (DCU), said.

The operation, Microsoft said, was undertaken in collaboration with ESET, Lumen’s Black Lotus Labs, Palo Alto Networks Unit 42, Avast, Financial Services Information Sharing, and Analysis Center (FS-ISAC), and Health Information Sharing and Analysis Center (H-ISAC).

As a result of the disruption, the domains are now redirected to a sinkhole, effectively preventing the botnet’s criminal operators from contacting the compromised devices. Another 319 backup domains that were generated via an embedded domain generation algorithm (DGA) have also been confiscated as part of the same operation.

ZLoader, like its notorious counterpart TrickBotstarted off as a derivative of the Zeus banking trojan in November 2019 before undergoing active refinements and upgrades that have enabled other threat actors to purchase the malware from underground forums and repurpose it to suit their goals.

“ZLoader has remained relevant as attackers’ tool of choice by including defense evasion capabilities, like disabling security and antivirus tools, and selling access-as-a-service to other affiliate groups, such as ransomware operators,” Microsoft said.

“Its capabilities include capturing screenshots, collecting cookies, stealing credentials and banking data, performing reconnaissance, launching persistence mechanisms, misusing legitimate security tools, and providing remote access to attackers.”

ZLoader’s transition from a basic financial trojan to a sophisticated malware-as-a-service (MaaS) solution has also made it possible for the operators to monetize the compromises by selling the access to other affiliate actors, who then misuse it to deploy additional payloads like Cobalt Strike and ransomware.

Campaigns involving ZLoader have abused phishing emails, remote management software, and rogue Google Ads to gain initial access to the target machines, while simultaneously using several complex tactics for defense evasion, Read more:

You can also read this: Microsoft Patches Windows Flaw Under Attack and Reported by NSA

Leave a Reply

Your email address will not be published. Required fields are marked *