[MART] - Daily Diary #491 - Zloader Botnet Disrupted

CTAS-MAT ctas-mat at appgate.com
Wed Apr 13 20:57:20 UTC 2022 

Hello,

I hope everyone is doing well!

Below is the entry for today.

04/13/2022 - Diary entry #491:

Zloader is a malware that started its activities as a banking trojan and info stealer. Later, as covered in our Daily Diary #425, Zloader started to be used to deploy additional payloads such as different Ransomware strains like Egregor and Ryuk. Moreover, Zloader's campaigns were spotted affecting thousands of victims from hundreds of countries, establishing a profitable and large Botnet.

Recently, Zloader's botnet was effectively shut down during an operation between Microsoft and telecommunication providers around the globe. After a court order was obtained, 65 Zloader's Command & Control domains were seized and directed to a sinkhole, stopping zombies controlled by the malware to receive commands.

Zloader has also a Domain Generation Algorithm (DGA) embedded, to generate additional domains as a fallback in case the botnet's main communication is interrupted. However, the court order also allowed to take down them, resulting in 319 additional domains being shut down.

In addition to that, an individual who lives in the Crimean Peninsula was identified as one of the responsible for creating Zloader's component to distribute ransomware in infected environments.

This means another setback in the Malware-as-a-Service and Ransomware-as-a-Service businesses since Zloader is one of the most active malware loaders today. Even so, we should be careful since disrupted botnets have a tendency to reemerge after a few months.

Kind Regards,

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/logo@2x.png]<https://www.appgate.com/>

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>



Felipe Tarijon de Almeida
Malware Analyst
Appgate

E: felipe.tarijon at appgate.com<mailto:felipe.tarijon at appgate.com>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20220413/36e7d8a7/attachment.htm>

More information about the MART mailing list