Globe map

A months-long global operation led by Microsoft’s Digital Crimes Unit (DCU) has taken down dozens of domains used as command-and-control (C2) servers by the notorious ZLoader botnet.

The court order obtained by Microsoft allowed it to sinkhole 65 hardcoded domains used by the ZLoader cybercrime gang to control the botnet and another 319 domains registered using the domain generation algorithm used to create fallback and backup communication channels.

“During our investigation, we identified one of the perpetrators behind the creation of a component used in the ZLoader botnet to distribute ransomware as Denis Malikov, who lives in the city of Simferopol on the Crimean Peninsula,” explained Amy Hogan-Burney, the DCU General Manager.

“We chose to name an individual in connection with this case to make clear that cybercriminals will not be allowed to hide behind the anonymity of the internet to commit their crimes.”

Multiple telecommunication providers and cybersecurity firms worldwide partnered with Microsoft’s threat intel and security researchers throughout the investigative effort, including ESET, Black Lotus Labs (Lumen’s threat intelligence arm), Palo Alto Networks’ Unit 42, and Avast.

The Financial Services Information Sharing and Analysis Centers (FS-ISAC) and the Health Information Sharing and Analysis Center (H-ISAC) also contributed data and insights to help strengthen the legal case.

ZLoader attacks heat map
ZLoader attacks heat map (Microsoft)

Zloader (aka Terdot and DELoader) is a widely-known banking trojan first spotted back in August 2015 when deployed in attacks against several British financial companies’ customers.

“Its capabilities include capturing screenshots, collecting cookies, stealing credentials and banking data, performing reconnaissance, launching persistence mechanisms, misusing legitimate security tools, and providing remote access to attackers,” the Microsoft 365 Defender Threat Intelligence Team said today.

Like Zeus Panda and Floki Bot, this malware is almost wholly based on the Zeus v2 trojan’s source code leaked online over a decade ago.

The malware has been used to target banks worldwide, from Australia and Brazil to North America, with the end goal of harvesting financial data via web injections that use social engineering to trick infected bank customers into handing out authentication codes and credentials.

Zloader also features backdoor and remote access capabilities, and it can be used as a malware loader to drop additional payloads on infected devices.

More recently, operators of multiple ransomware gangs have also used it to deploy malicious payloads such as Ryuk and Egregor, as well as DarkSide and BlackMatter per Microsoft.

Reports from ESET and the Microsoft 365 Defender Threat Intelligence Team provide indicators of compromise and further info on defense techniques and ZLoader’s attack chains.

Source: www.bleepingcomputer.com