A months-long global operation led by Microsoft’s Digital Crimes Unit (DCU) has taken down dozens of domains used as command-and-control (C2) servers by the notorious ZLoader botnet.
The court order obtained by Microsoft allowed it to sinkhole 65 hardcoded domains used by the ZLoader cybercrime gang to control the botnet and another 319 domains registered using the domain generation algorithm used to create fallback and backup communication channels.
“During our investigation, we identified one of the perpetrators behind the creation of a component used in the ZLoader botnet to distribute ransomware as Denis Malikov, who lives in the city of Simferopol on the Crimean Peninsula,” explained Amy Hogan-Burney, the DCU General Manager.
“We chose to name an individual in connection with this case to make clear that cybercriminals will not be allowed to hide behind the anonymity of the internet to commit their crimes.”
Multiple telecommunication providers and cybersecurity firms worldwide partnered with Microsoft’s threat intel and security researchers throughout the investigative effort, including ESET, Black Lotus Labs (Lumen’s threat intelligence arm), Palo Alto Networks’ Unit 42, and Avast.
The Financial Services Information Sharing and Analysis Centers (FS-ISAC) and the Health Information Sharing and Analysis Center (H-ISAC) also contributed data and insights to help strengthen the legal case.
ZLoader attacks heat map (Microsoft)
Zloader (aka Terdot and DELoader) is a widely-known banking trojan first spotted back in August 2015 when deployed in attacks against several British financial companies’ customers.
“Its capabilities include capturing screenshots, collecting cookies, stealing credentials and banking data, performing reconnaissance, launching persistence mechanisms, misusing legitimate security tools, and providing remote access to attackers,” the Microsoft 365 Defender Threat Intelligence Team said today.
The malware has been used to target banks worldwide, from Australia and Brazil to North America, with the end goal of harvesting financial data via web injections that use social engineering to trick infected bank customers into handing out authentication codes and credentials.
Zloader also features backdoor and remote access capabilities, and it can be used as a malware loader to drop additional payloads on infected devices.