Coordinated strike against global botnet succeeded: In a joint action with Microsoft, Lumen Black Lotus Labs and Palo Alto Networks, ESET has succeeded in deactivating the global botnet Zloader.
The aim was to paralyze the infrastructure and massively restrict the group's activities. The eCrime group behind it was initially extremely active in the area of banking fraud and password theft in recent years. Later, the perpetrators expanded their portfolio and offered Zloader on underground forums as "Malware as a Service". The underlying malware of the same name was originally developed as a banking Trojan based on the source code of the Zeus malware leaked in 2021. ESET had identified and analyzed more than 2019 different malicious code samples since 14.000.
Three-stage campaign with resounding success
The coordinated action targeted three specific botnets, each using a different version of the Zloader malware. ESET researchers identified more than 250 domains used since January 1, 2021 by the operators that were successfully acquired as part of the promotion. In addition, the backup communication channel was turned off, which automatically generates new domain names, with the help of which the botmasters could again send commands to the Zloader bots (zombies). This technique, known as "Domain Generation Algorithm" (DGA), is used to generate up to 32 different domains per day per botnet. The domains have been identified and already registered by the Anti-Zloader Task Force to ensure that the botnet operators cannot use this side channel to regain control of the zombie network.
Malware as a Service as a distribution model
Zloader was advertised as commodity malware on underground forums. The potential perpetrators do not need to have any programming knowledge here, but can fall back on a complete eCrime service package. In addition to the malicious code, this also includes services and advertising measures to attack and infect computers. The buyers receive the complete infrastructure for rolling out the malicious programs and for setting up and controlling their own botnet.
Zloader malware background
The first version of Zloader (V.1.0.0.0) discovered by ESET - then announced and promoted in underground forums as "Silent Night" - dates back to November 09, 2019 and was based on the leaked program code of the Zeus banking Trojan. The spread took place, among other things, via spam mails with manipulated Office files on the subject of Covid-19. The various eCrime groups then use RIG exploit kits, spam emails with fake invoices (XLS macros) and Google Ads campaigns to lure potential victims to manipulated websites with infected downloads. The use of exploit kits is worthwhile for spreading malicious code, since these tools, which are traded in eCrime forums, can be used to search for exploitable vulnerabilities in computer programs in a targeted and automated manner.
More at ESET.com
About ESET ESET is a European company with headquarters in Bratislava (Slovakia). ESET has been developing award-winning security software since 1987 that has already helped over 100 million users enjoy secure technology. The broad portfolio of security products covers all common platforms and offers companies and consumers worldwide the perfect balance between performance and proactive protection. The company has a global sales network in over 180 countries and branches in Jena, San Diego, Singapore and Buenos Aires. For more information, visit www.eset.de or follow us on LinkedIn, Facebook and Twitter.