Microsoft dismantled the C2C used by the ZLoader trojan. It sinkholed 65 domains used by the ZLoader operators along with an additional 319 currently registered DGA domains.
Zloader is a banking malware that has been active at least since 2016, it borrows some functions from the notorious Zeus 188.8.131.52 banking Trojan and was used to spread Zeus-like banking trojan.
ZLoader evolved across the years, from a basic banking trojan to a sophisticated piece of malware capable of monetizing compromised devices by selling access to other affiliate groups.
The company also identified one of the perpetrators a man named Denis Malikov, involved in the development of a ZLoader component used to deliver ransomware.
Experts observed ZLoader infections worldwide, most of them in the US, China, western Europe, and Japan.
ZLoader has remained relevant as attackers’ tool of choice by including defense evasion capabilities, like disabling security and antivirus tools, and selling access-as-a-service to other affiliate groups, such as ransomware operators.Its capabilities include capturing screenshots, collecting cookies, stealing credentials and banking data, performing reconnaissance, launching persistence mechanisms, misusing legitimate security tools, and providing remote access to attackers.Microsoft statement
Over time, Zloader operators began offering malware as a service, the malware was used to distribute multiple ransomware, including Ryuk.