- ITDM 2025 전망 | “불경기 시대 속 콘텐츠 산업··· 기술이 돌파구를 마련하다” CJ ENM 조성철 엔터부문 CIO
- 50억 달러 피해에서 700명 해고까지··· 2024년 주요 IT 재난 8선
- Network problems delay flights at two oneworld Alliance airlines
- Leveraging Avaya Experience Platform to accelerate your digital banking transformation
- The best iRobot vacuums of 2024: Expert tested and reviewed
Microsoft and Partners Disrupt ZLoader Botnet
Microsoft has revealed how a coordinated operation helped disrupt a notorious Trojan used widely around the world to facilitate ransomware and other attacks.
ZLoader was spawned from the infamous Zeus banking Trojan, but like similar malware TrickBot and Emotet, it underwent significant development over the years, adding new functionality.
As such, it soon evolved from a banking Trojan into malware capable of compromising devices, which its operators then sold as a service to other threat actors who used it to download additional payloads. It has been linked to high-profile ransomware campaigns including Ryuk, DarkSide and BlackMatter in the past.
After obtaining a court order, Microsoft’s Digital Crimes Unit (DCU) took control of 65 command and control (C&C) domains used by the ZLoader gang
“The domains are now directed to a Microsoft sinkhole where they can no longer be used by the botnet’s criminal operators. Zloader contains a domain generation algorithm (DGA) embedded within the malware that creates additional domains as a fallback or backup communication channel for the botnet,” Microsoft explained.
“In addition to the hardcoded domains, the court order allows us to take control of an additional 319 currently registered DGA domains. We are also working to block the future registration of DGA domains.”
However, Microsoft admitted that those behind ZLoader would look to revive the botnet, so this is more of a temporary setback, in a similar way to its action against Russian state group APT28, which disrupted the Cyclops Blink operation last week.
In fact, ZLoader is noted for its resilience and persistence. It uses signed malicious files to make them appear legitimate and works to disable security tools running on a victim’s machine.
To carry out its operation, Microsoft worked with other industry players, including Lumen, Palo Alto Networks, Eset and Avast, as well as global non-profits, the Financial Services Information Sharing and Analysis Center (FS-ISAC) and the Health Information Sharing and Analysis Center (H-ISAC).
