ZLoader botnet campaign ‘a wakeup call’ on how ransomware can evolve

We’re excited to bring Transform 2022 back to life on July 19th and virtually July 20-28. Join AI and data leaders for sensible conversations and exciting networking opportunities. Register today!


While joint efforts by Microsoft and a number of security vendors have disrupted a global campaign that took advantage of the ZLoader botnet to distribute ransomware, opportunistic attacks serve as a reminder that ransomware is a societal threat.

Microsoft’s Digital Crime Unit said Wednesday it had recently received a court order in Georgia allowing it to remove 65 domains using the ZLoader group. Other participants in the endeavor – who also used technical means to disrupt ZLoader – including ESET; Lumen’s Threat Intelligence Unit, Black Lotus Labs; And Unit 42 Division of Palo Alto Networks.

Microsoft researchers say ZLoader attacks mostly target the US, Western Europe, China and Japan.

When ZLoader was originally deployed as a banking Trojan, malware was “significant for its ability to evolve,” Microsoft researchers said in a blog post. And with this latest campaign, botnets have evolved to distribute ransomware payloads, the researchers said.

Attacks seem to be more opportunistic than many high-profile ransomware attacks known to date, often targeting specific organizations.

“Zloader affiliates used a variety of techniques to expand their botnets, such as sending spam emails containing malicious documents or abusing Google Ads to direct visitors to malicious websites serving malware,” Alexis Dorais-Jonkas told ESET Security at ESET. Lead, in an email.

According to ESET researchers, along with abusive Google ads, emails about COVID-19 (with malicious Microsoft Word attachments) and fake invoice emails containing malicious XLS macros were also used in the ZLoader campaign.

“Affiliates may then decide to deploy additional malware, such as ransomware, into the infected system under their control,” Doris-Jonkas said.

The growing threat

The fact that ZLoader has evolved to deploy ransomware uses “a wakeup call on how ransomware will continue to evolve,” said Joseph Carson, chief security scientist and consultant at CISO, a privileged access management vendor at Delinea. Said.

“This means that instead of targeting ransomware victims, it makes ransomware more opportunistic – putting more individuals and small businesses at higher risk of becoming ransomware victims,” ​​Carson said in an email.

He said that using ZLoader to steal credentials and sensitive data and turn it into a distribution of ransomware would “likely cause more individuals and small businesses to fall victim to ransomware by visiting the wrong domain or clicking on the wrong link.”

Evolution is a reminder that “everyone is now the target of ransomware criminals,” Carson said. “We must prioritize ransomware no longer as the biggest threat to organizations, but as one of the biggest threats to society.”

Profitable business

Davis McCarthy, chief security researcher at Voltix, noted that Emotate also evolved from a banking Trojan – “becoming a powerful polymorphic botnet that avoids removal over the years.”

The basis for ZLoader’s evolution is the fact that “ransomware is attractive. And as more ransomware groups enter the market, the demand for access broking will increase,” McCarthy said. “As access broking grows, so does the need for reliable and innovative delivery methods.”

In the past, ZLoader has been linked to ransomware families, including Ryuk, which is notorious for targeting health care organizations, Microsoft researchers said.

A particularly notable component of the ZLoader campaign is the presence of customizable options, “which will distinguish one attacker’s use of ZLoader from another attacker’s instance,” said Ben Pike, nVisium’s chief adviser. “This makes the search difficult because a signature-based approach would be ineffective.”

Huge net

Ultimately, “retained Trojans generally increase their abilities to cast a huge net of potential victims or avoid detection,” Pike said. “For me, this means that the threat remains and the Trojan will continue to evolve, as long as it is profitable for malicious actors.”

John Bambanek, Netenrich’s main threat hunter, noted that early in the history of ransomware, many ransomware authors attempted to distribute their own malware. However, they quickly discovered that it was best to focus on creating solid ransomware – and allow those who were skilled at compromising systems in bulk to focus on it, Bambanek said.

“The result is an efficient and uninterrupted ecosystem to go after victims that maximizes profits for both groups,” he said.

“Modern ransomware is a complex business that requires a variety of skills,” Bambanek said. And this time, he said, “criminals have found it to streamline their time and efficiency to pay.”

Venturebeat’s mission Digital Town Square is set to become a place for technical decision makers to gain knowledge about the changing enterprise technology and practices. Learn more about membership.

Similar Posts

Leave a Reply

Your email address will not be published.