Microsoft Leads Operation to Disrupt Zloader Botnet

Researchers from Microsoft and several security vendors have sinkholed 65 domains associated with the prolific Zloader malware distribution botnet.

Another 319 backup domains that Zloader generated via an embedded domain generation algorithm (DGA) have been seized as part of the same operation, which included ESET, Palo Alto Networks, and Black Lotus Labs.

The goal is to disable the infrastructure that the criminal gang behind the Zloader botnet has been using as part of its malware-distribution-as-a-service operation, says Amy Hogan-Burney, general manager of Microsoft's digital crimes unit. It is likely the operators of the botnet will try to revive operations, Hogan-Burney says, so Microsoft and the other entities involved in the takedown will continue to work with each other and with Internet service providers to monitor for and identify any further activity by the group.

Zloader first surfaced on security vendor radars in November 2019 as banking malware modeled along the lines of the notorious Zeus banking Trojan. The malware — which was sold in underground forums under the name "Silent Night" — was designed to steal data associated with online bank accounts, such as account login IDs and passwords.

ESET said its researchers have observed criminal groups using different ways to distribute Zloader, including via exploit kits such as RIG, COVID-19 themed phishing emails, adult sites, and misuse of Google Ads. The malware is designed to take a variety of malicious actions once installed on a system. This includes stealing data from browsers, stealing cryptocurrency wallets, logging keystrokes, enabling remote control, and supporting arbitrary command execution, ESET said.

One feature of the malware — its ability to profile the network and the compromised host — has allowed threat actors to distribute different malicious payloads to infected systems. Recently, this has included various ransomware families such as DarkSide and Ryuk, both of which have been associated with numerous high-profile attacks over the past two years or so.

Microsoft's digital crimes unit led the effort to take down Zloader infrastructure. The company obtained a court order from the US District Court for the Northern District of Georgia that allowed Microsoft's security researchers to take control of 65 Zloader-associated domains and direct traffic to these sites to a Microsoft sinkhole.

Disruption operations such as this require a lot of coordination, information sharing, and validation between partners, says Alexis Dorais-Joncas, security intelligence team lead at ESET. "Technical challenges aside, joining a group to cooperate on a disruption operation involves a significant amount of trust," he says.

To succeed, the companies partnering with each other in such efforts need to be willing to share information freely with other. "We have to know we can trust every single partner to do the right thing and not misuse any information along the way to their own benefit," Dorais-Joncas says.

On the operational side, the challenge with platforms like Zloader is that they allow affiliates to create their own independent botnet. So, disrupting it means being able to map all active botnets associated with the malware, identify the infrastructure behind each one of these botnets, and simultaneously monitor for the appearance of new botnets.

To do this, ESET used its endpoint security technology to automatically cluster new Zloader samples and extract command and control information from them to enable a real-time view of all active Zloader botnets and associated network infrastructure.

ESET's data was merged with data from the other vendors involved in the Zloader takedown operation so that the group was able to compile a comprehensive list of all the malicious domains and IP addresses used to control Zloader-based botnets, Dorais-Joncas says. "We are lucky to have a great relationship with Microsoft's Digital Crimes Unit and the other partners involved in this effort," he says. "[We] will continue to collaborate as needed to defend against an expanding threat landscape."

How Impactful Are Such Takedowns?
The Zloader botnet operation is one of many in recent years where security vendors have successfully partnered with each other to take down a particularly dangerous threat operation. In many cases, the takedowns had an immediate impact on the targeted activity but have failed to stop it completely — Trickbot is one especially noteworthy example.

Davis McCarthy, principal security researcher at Valtix, says one problem is that some threat operators create multiple versions of a botnet to improve its resilience against takedown.

The Zloader takedown, for instance, involved three separate botnets, each of which had been set up using a different version of the malware. Technologies such as DGA has also allowed threat actors to develop malware capable of automatically generating numerous backup domains in case their primary domains become unavailable. Zloader's DGA allowed the malware to generate 32 new domains per day per botnet.

"Takedown operations require the coordination of multiple stakeholders — compounded by varying laws and relationships. This coordination can be slow," McCarthy says.