Microsoft took actions to disrupt ZLoader malware infrastructure

Global operation led by Microsoft took down dozens of domains used by the malicious ZLoader botnet

Criminals use malware for evasion capabilities like disabling security and AV tools. Microsoft disrupted the domains used by these criminals

Microsoft's Digital Crimes Unit took action against the malicious trojan. By working with telecommunications providers globally, the company disrupted the key infrastructure of the ZLoader trojan.^[1] Cybersecurity companies took legal actions and technical steps to take control over 65 domains that were used as control and command servers to communicate with the infected hosts.^[2]

The court order obtained by Microsoft allowed doing so to control the botnet and other 319 domains registered using the domain generation algorithm that helps create the fallback and backup communicational channels.^[3] ZLoader malware^[4] is the trojan made up of computing devices around the world and run by an internet-based organized crime team. The malware is operating as a service and the main goal of the trojan is to steal or extort money.

Microsoft collaborated with ESET, Lumen's Black Lotus Labs, Palo Alto networks Unit 42, Avast, Health Information Sharing and Analysis Center and Financial Services Information Sharing and Analysis Center to conduct this operation and prevent the botnet's criminal operations.

The major threat is a relevant tool of choice

ZLoader is the trojan that attackers rely on due to the particular defense evasion capabilities. The malware can disable security tools, and sell access-as-a-service to other affiliate groups. The usage of this botnet can easily result in ransomware deployment on targeted networks.^[5]

The malware itself can take screenshots, collect cookies, and steal credentials and banking information. Attackers can use the botnet to perform reconnaissance, launch persistent mechanics, use legitimate security tools to their advantage, and provide remote access to the threat actors.

The particular transition and advanced changes made the financial trojan into a malware-as-a-service tool.^[6] The operators that use the trojan can monetize the operations by selling the access to other affiliated criminals. Ransomware and threats like Cobalt Strike can be distributed after that.

ZLoader trojan first spotted in 2015

The trojan also is known as Terdot, DELoader. The threat firstly emerged in 2015 when it was deployed in attacks against various financial companies and their customer. This is malware based on other trojan and botnet source codes that got leaked before.

The botnet is mainly used to target banks globally. Its targets can be found in Australia, Brazil, and North America. The main goal of the trojan is to collect various financial data using web injections. Spreading methods are based on social engineering and tricking people into handing out authentication codes and credentials.

The recent changes to ZLoader made him more dangerous with the backdoor and remote access capabilities, so it can be used as a direct malware loader and dropper. Once the threat infects devices, actors can run any commands and send more dangerous malware. Major groups like Ryuk or DarkSide ransomware gangs have used it before.

The disruption of these main and backup domains that are part of the save operations results in these sites now redirecting to the sinkhole, so the botnet is no longer operating because criminal operators cannot contact the compromised devices.