Microsoft has announced a months-long effort to take control of 65 domains that the ZLoader criminal botnet gang has been using as command-and-control servers.
The tech giant’s Digital Crimes Unit obtained a court order to take down the domains, which are now directed to a Microsoft-controlled sinkhole so they can’t communicate with the botnet.
In addition to the 65 hardcoded domains, the court order also allows Microsoft to take control of an additional 319 registered domains that the botnet uses as a backup communication channel. Microsoft said it’s working to block future registration of these so-called domain generation algorithm domains.
The investigation also tied the ZLoader botnet to directly to Denis Malikov, who lives in Simferopol on the Crimean Peninsula, which was annexed by Russia from Ukraine in 2014. According to Microsoft, he is one of the creators of a component that the botnet uses to distribute ransomware.
“We chose to name an individual in connection with this case to make clear that cybercriminals will not be allowed to hide behind the anonymity of the internet to commit their crimes,” wrote Amy Hogan-Burney, general manager of Microsoft’s Digital Crimes Unit.
From banking trojan to ransomware
ZLoader is a variant of the Zeus banking trojan that has been around for at least 15 years. While its earlier use was primarily to steal account login IDs and passwords for financial theft, it has evolved over the years and added new capabilities.
These include defense, like disabling security and anti-virus tools to evade detection, and offensive capabilities such as “capturing screenshots, collecting cookies, stealing credentials and banking data, performing reconnaissance, launching persistence mechanisms, misusing legitimate security tools, and providing remote access to attackers,” according to the Microsoft’s 365 Defender Threat Intelligence Team.
Microsoft was keen to stress this was a cooperative effort, with security shops ESET, Lumen’s threat-intel arm Black Lotus Labs, Palo Alto Networks’ Unit 42’s team and Avast Threat Labs helping out. It also thanked the Financial Services Information Sharing and Analysis Centers (FS-ISAC) and the Health Information Sharing and Analysis Center (H-ISAC) for “additional data and insights.”
While the newly announced operation will have severely inconvenienced the botnet’s operators, based on past experience they’ll be back. In October 2020 Microsoft launched a similar operation against the Trickbot network, but it was back up and running within two weeks, the US Cybersecurity and Infrastructure Security Agency warned in an advisory. ZLoader is likely to be revived soon as well, since it has proven very popular so far and there’s a lot of money to be made.
ZLoader is also sold on underground forums along with other types of commodity malware. “When purchased, affiliates are given all they need to set up their own servers with administration panels and to start building their bots,” security firm ESET explained. “Affiliates are then responsible for bot distribution and maintaining their botnets.”
More recently, the malware has been linked to ransomware gangs Ryuk, DarkSide and BlackMatter. ZLoader has also moved away from using email as an initial vector and instead turned toward ads on search engines that trick users into visiting malicious websites, the Microsoft Defender team added.
These campaigns look like a legitimate company or product such as Java, TeamViewer, Zoom, and Discord. “For the delivery stage of the attack, the actors would purchase Google Ads for key terms associated with those products, such as ‘zoom videoconference,’ the threat intel group explained.
Of course, clicking on these phony ads then directs users to a malicious domain, which allows the botnets to infect the device and start using it to communicate with ZLoader servers. ®