<

How ZLoader Malware
Was Taken Down

Learn how PurpleSec’s experts can protect your business against the latest cyber attacks.

Author: Josh Allen / Last Updated: 6/05/2022

Reviewed By: Michael Swanagan, CISSP, CISA, CISM & Rich Selvidge, CISSP

View Our: Editorial Process

Summary Of The Attack

• Microsoft DCU partnered with other security companies to conduct a takedown of the botnet running ZLoader malware.
• Using Threat Intelligence, Data Science, Reverse Engineering, and cooperation, the task force captured over 300 domains registered for the botnet.
• ZLoader’s origin is a trojan, but it has evolved into a Ransomware as a Service platform.
• ZLoader is the primary distributor of the Ryuk healthcare ransomware.

What Happened?

On April 13, 2022, Microsoft announced that their Digital Crimes Unit (DCU) – in a joint effort with ESET, Black Lotus Labs, Palo Alto Networks, HealthISAC, and Financial Services-ISAC – has successfully disrupted the botnet distributing the ZLoader trojan.

What Is ZLoader & How Does It Work?

ZLoader is a malware derived from a banking trojan discovered in 2007 called Zeus, at one time called DELoader because it was seen in 2016 targeting German language systems.

More than just a trojan, ZLoader has evolved over the years to do many things, with different goals.

Once it has been loaded onto a victim’s computer the attacker is given persistent command and control of that system, as well as a toolset for discovering more potential victims and the ability to load custom modules.

The capabilities of ZLoader can be highly customized for specific goals, but at a high level, it is able to deliver Cobalt Strike, various Ransomware, and remote desktop access through VNC. Eventually, the creators even added the ability to disable many popular consumer antivirus and other software.

The primary goal of ZLoader campaigns historically was financial theft; stealing information to be then used to steal money directly from victim accounts.

ZLoader: Ransomware As A Service (RaaS)

However, the creators of ZLoader shifted their focus around 2020 to primarily offer Malware as a Service, or Ransomware as a Service (RaaS) through the botnet which acts as the support platform for ZLoader.

What they built became like a malicious AWS cloud specially crafted to support and run ransomware campaigns for anyone willing to pay for it.

Microsoft Uses Data & Threat Intelligence
To Cripple ZLoader Operations

To disrupt the ability of the botnet to distribute and control malware, Microsoft and its allies used data and threat intelligence to form a legal case and obtained a court order from the United States District Court for the Northern District of Georgia which allowed them to take control of 65 actively used domains that the ZLoader botnet used for command and control.

It was also discovered through reverse engineering that ZLoader also contains code to generate new domains as backup or scaling the communication channels; these 319 registered domains were also taken over by the Microsoft DCU taskforce.

Once they had control of the domains, Microsoft redirected them to sinkholes – domains that Microsoft controls and has no content – effectively crippling ZLoader’s ability to call back to the botnet and ultimately the attacker, and its ability to switch to backup domains after the initial takedown.

Wrapping Up

This is a big win for Blue Teams everywhere. The ZLoader RaaS has been used many times to distribute the infamous Ryuk ransomware which is well known for wreaking havoc on several healthcare institutions, extorting money while putting the health and lives of patients at risk.

It is also a great example of collaborative cyber security and the kind of accomplishment many of us in cyber security hope to achieve one day.

The task force was also able to identify one of the creators, Denis Malikov, and publicly identified his name and location as a statement against other ransomware operators.

Related Articles:

• How To Develop An Effective Cyber Security Strategy
• How To Manage Your Network Security In 8 Steps
• How To Conduct A Security Risk Assessment
• Top 10 Benefits Of Vulnerability Management
• Free Data Security Policy Template (Updated 2022)