Microsoft has taken legal and technical action to dismantle the Zloader botnet

Pierluigi Paganini April 14, 2022

Microsoft’s Digital Crimes Unit (DCU) announced to have shut down dozens C2 servers used by the infamous ZLoader botnet.

Microsoft dismantled the C2 infrastructure used by the ZLoader trojan with the help of telecommunications providers around the world and cybersecurity firms. The IT giant obtained a court order that allowed it to sinkhole 65 domains used by the ZLoader operators along with an additional 319 currently registered DGA domains.

“Today, we’re announcing that Microsoft’s Digital Crimes Unit (DCU) has taken legal and technical action to disrupt a criminal botnet called ZLoader.” reads the report published by Microsoft. “ZLoader is made up of computing devices in businesses, hospitals, schools, and homes around the world and is run by a global internet-based organized crime gang operating malware as a service that is designed to steal and extort money.”

Zloader is a banking malware that has been active at least since 2016, it borrows some functions from the notorious Zeus banking Trojan and was used to spread Zeus-like banking trojan (i.e. Zeus OpenSSL).

The company also identified one of the perpetrators a man named Denis Malikov, involved in the development of a ZLoader component used to deliver ransomware.

Experts observed ZLoader infections worldwide, most of them in the US, China, western Europe, and Japan.

ZLoader malware attacks

Experts reported that ZLoader evolved across the years, from a basic banking trojan to a sophisticated piece of malware capable of monetizing compromised devices by selling access to other affiliate groups.

“ZLoader has remained relevant as attackers’ tool of choice by including defense evasion capabilities, like disabling security and antivirus tools, and selling access-as-a-service to other affiliate groups, such as ransomware operators.” reads a post published by Microsoft. “Its capabilities include capturing screenshots, collecting cookies, stealing credentials and banking data, performing reconnaissance, launching persistence mechanisms, misusing legitimate security tools, and providing remote access to attackers.”

Over time, Zloader operators began offering malware as a service, the malware was used to distribute multiple ransomware, including Ryuk.

“Our disruption is intended to disable ZLoader’s infrastructure and make it more difficult for this organized criminal gang to continue their activities. We expect the defendants to make efforts to revive Zloader’s operations.” concludes Microsoft.

Please vote for Security Affairs as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice.
To nominate, please visit:  

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, ZLoader malware)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment