As announced today, Microsofttook action against the ZLoader trojanby working with telecommunications providers around the world to disrupt key ZLoader infrastructure. We used our research into this threat to enrich our protection technologies and ensure this infrastructure could no longer be leveraged by operators to distribute the trojan or activate deployed payloads like ransomware. Moreover, we are sharing this intelligence to emphasize the importance of collaboration throughout the larger security community. Below, we will detail the various aspects for identifying a ZLoader campaign.
Derived from the Zeus banking trojan first discovered in 2007, ZLoader is a malware family notable for its ability to evolve and change from campaign to campaign, having undergone much development since its inception. ZLoader has remained relevant as attackers’ tool of choice by including defense evasion capabilities, like disabling security and antivirus tools, and selling access-as-a-service to other affiliate groups, such as ransomware operators. Its capabilities include capturing screenshots, collecting cookies, stealing credentials and banking data, performing reconnaissance, launching persistence mechanisms, misusing legitimate security tools, and providing remote access to attackers.