Microsoft has announced a months-long effort to take control of 65 domains that the criminal botnet gang ZLoader uses as command-and-control servers.
The tech giant’s digital crimes unit won a court order to take down the domains, which are now directed to a Microsoft-controlled sinkhole so they can’t communicate with the botnet.
In addition to the 65 hardcoded domains, the court order also allows Microsoft to take control of 319 additional registered domains that the botnet uses as a backup communication channel. Microsoft said it was working to block future registration of these so-called domain generation algorithm domains.
The investigation also linked the ZLoader botnet directly to Denis Malikov, who lives in Simferopol on the Crimean Peninsula, which was annexed by Russia from Ukraine in 2014. According to Microsoft, he is one of the creators of a component that the botnet uses to distribute ransomware.
“We have chosen to name one individual in connection with this case to make it clear that cybercriminals will not be allowed to hide behind the anonymity of the internet to commit their crimes,” wrote Amy Hogan-Burney, general manager of Microsoft’s digital crimes unit.
From Banking Trojan to Ransomware
ZLoader is a variant of the Zeus banking Trojan that has been around for at least 15 years. While its earlier use was mainly to steal account logins and passwords for financial theft, it has evolved over the years and added new features.
These include defense, such as disabling security and antivirus tools to evade detection, and offense abilities such as “capturing screenshots, collecting cookies, stealing credentials and banking data, performing reconnaissance, launching persistence mechanisms, abusing legitimate security tools, and providing remote access to attackers” , according to Microsoft’s 365 Defender Threat Intelligence team.
Microsoft was keen to stress that this was a cooperative effort, with the help of security stores ESET, Black Lotus Labs, the threat intelligence arm of Lumen, the Unit 42 team of Palo Alto Networks and Avast Threat Labs. He also thanked the Financial Services Information Sharing and Analysis Centers (FS-ISAC) and the Health Information Sharing and Analysis Center (H-ISAC) for “data and Additional Information”.
Although the recently announced operation has seriously inconvenienced the operators of the botnet, based on past experience, they will be back. In October 2020, Microsoft launched a similar operation against the Trickbot network, but it was up and running again within two weeks, the US Cybersecurity and Infrastructure Security Agency warned in a notice. ZLoader is also expected to be relaunched soon, as it has proven to be very popular so far and there is a lot of money to be made.
ZLoader is also sold on underground forums along with other basic types of malware. “When purchased, affiliates receive everything they need to set up their own servers with admin panels and start building their bots,” security firm ESET said. Explain. “Affiliates are then responsible for distributing bots and maintaining their botnets.”
More recently, the malware has been linked to the Ryuk, DarkSide, and BlackMatter ransomware gangs. ZLoader has also ditched using email as an initial vector and instead turned to search engine ads that trick users into visiting malicious websites, the Microsoft Defender team added.
These campaigns look like a legitimate company or product such as Java, TeamViewer, Zoom, and Discord. “For the delivery stage of the attack, actors would buy Google Ads for key terms associated with those products, such as ‘zoom video conferencing’,” the threat intelligence group explained.
Of course, clicking on these fake ads then directs users to a malicious domain, which allows botnets to infect the device and start using it to communicate with ZLoader servers. ®