Steps taken by Microsoft and a group of cybersecurity companies to disrupt the ZLoader botnet included taking control of 65 domains that were used to control and communicate with infected hosts.
According to Amy Hogan-Burney, general manager of Microsoft's Digital Crimes Unit (DCU), ZLoader is a global internet-based organized crime gang operating malware as a service that is designed to steal and extort money from businesses, schools, and homes around the world.
ESET, Lumen's Black Lotus Labs, Palo Alto Unit 42, Avast and the FS-ISAC (Financial Services Information Sharing and Analysis Center) collaborated with Microsoft on the operation, which also included the Health Information Sharing and Analysis Center (H-ISAC).
Disruption has led to a sinkhole redirecting the domains, effectively preventing the botnet's criminal operators from accessing compromised devices. The seizure of 319 backup domains generated by an embedded domain generation algorithm (DGA) is also part of the same operation.
When ZLoader first appeared in November of this year, it was an offshoot of the Zeus banking trojan, but it has since undergone active refinements and upgrades that have allowed other threat actors to purchase the malware from underground forums and repurpose it to suit their purposes.
When it comes to evading anti-virus and security software, ZLoader has been the go-to tool for attackers because of its ability to disable these tools and sell access to other affiliate groups, such as ransomware operators," Microsoft said.
Capturing screenshots, collecting cookies, stealing credentials and banking data, performing reconnaissance, launching persistency mechanisms, misusing legitimate security tools, and providing remote access to attackers are just some of its capabilities."
With the evolution of ZLoader from a simple financial Trojan into an advanced Malware as a Service solution, operators can now monetize compromises by selling access to other affiliate actors, who then misuse the access to deploy additional payloads like Cobalt Strike and ransomware.
The ZLoader has been used in campaigns that used phishing emails, remote management software, and rogue Google Ads to gain initial access to the target machines while simultaneously employing several complex tactics for defense evasion, including the injection of malicious code into legitimate process.
According to an analysis of the malware's malicious activities since February 2020, "dh8f3@3hdf#hsf23" and "03d5ae30a0bd934a23b6a7f0756aa504" have been responsible for most of the attacks since October 2020.
In contrast to the first affiliate, which used "ZLoader's ability to deploy arbitrary payloads," the second affiliate, which has been active to date, appears to have focused on stealing credentials from banking, cryptocurrency platforms, and e-commerce sites, according to Slovak cybersecurity company ESET.
Additionally, Microsoft revealed Simferopol, Crimea, resident Denis Malikov as one of the developers of a botnet module used to distribute ransomware strains. Microsoft stated that it chose to name the perpetrator in order to "make clear that cybercriminals will not be allowed to hide behind the anonymity of the internet to commit their crimes.".
A similar effort to dismantle the notorious TrickBot botnet in October 2020 is eerily similar to the current operation. Even though the botnet made a comeback last year, the malware authors have since replaced it with more stealthy variants like BazarBackdoor.
First, ZLoader needs to be installed, but that's just the first step in many modern malware attacks, according to Microsoft. Malware is becoming increasingly dangerous, and this trojan is yet another example.
Post a Comment
Your suggestions and comments are welcome