Microsoft's Digital Crimes Unit (DCU) has taken down dozens of domains used as C2 servers by the ZLoader botnet.
ZLoader disruption
Throughout the investigative effort, multiple cybersecurity firms and telecommunication providers, including ESET, Black Lotus Labs, Palo Alto Networks' Unit 42, and Avast, partnered with Microsoft.
- It all happened after the court order allowed DCU to sinkhole 65 hardcoded domains used by ZLoader as its C2 servers and 319 additional domains registered using the domain generation algorithm. These domains were used to create fallback and backup communication channels.
- Further, researchers identified one of the individuals, Denis Malikov, who lives in Simferopol, and is thought to be behind the creation of a component used in the ZLoader botnet to spread ransomware.
The botnet is used to target banks worldwide, including Brazil, Australia, and North America, to harvest financial data using web injections to fool bank customers into giving out authentication codes and credentials.
Recent notable appearances
ZLoader has been active for the last few months and the operators behind this threat are still updating their methods to keep their attacks effective.
- In January, a ZLoader campaign had exploited Microsoft’s signature verification. It was launched by the Malsmoke group and targeted thousands of victims across 111 countries.
- Last year, another ZLoader campaign was discovered employing a stealthier distribution mechanism to target Australian and German banking customers by using signed droppers.
Conclusion
Global cooperation between private and government agencies has once again disrupted a prominent bot network. It’s critical that private and government entities collaborate on new levels to share threat intel around similar threats and protect all stakeholders.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_290486942.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/cd20_shutterstock_2097533995.jpg)
