Microsoft has revealed how a coordinated operation helped disrupt a notorious Trojan used widely around the world to facilitate ransomware and other attacks.
ZLoader was spawned from the infamous Zeus banking Trojan, but like similar malware TrickBot and Emotet, it underwent significant development over the years, adding new functionality.
As such, it soon evolved from a banking Trojan into malware capable of compromising devices, which its operators then sold as a service to other threat actors who used it to download additional payloads. It has been linked to high-profile ransomware campaigns including Ryuk, DarkSide and BlackMatter in the past.
After obtaining a court order, Microsoft’s Digital Crimes Unit (DCU) took control of 65 command and control (C&C) domains used by the ZLoader gang
“The domains are now directed to a Microsoft sinkhole where they can no longer be used by the botnet’s criminal operators. Zloader contains a domain generation algorithm (DGA) embedded within the malware that creates additional domains as a fallback or backup communication channel for the botnet,” Microsoft explained.
“In addition to the hardcoded domains, the court order allows us to take control of an additional 319 currently registered DGA domains. We are also working to block the future registration of DGA domains.”
However, Microsoft admitted that those behind ZLoader would look to revive the botnet, so this is more of a temporary setback, in a similar way to its action against Russian state group APT28, which disrupted the Cyclops Blink operation last week.
In fact, ZLoader is noted for its resilience and persistence. It uses signed malicious files to make them appear legitimate and works to disable security tools running on a victim’s machine.
To carry out its operation, Microsoft worked with other industry players, including Lumen, Palo Alto Networks, Eset and Avast, as well as global non-profits, the Financial Services Information Sharing and Analysis Center (FS-ISAC) and the Health Information Sharing and Analysis Center (H-ISAC).