ZLoader botnet campaign ‘a wake-up call’ on how ransomware could evolve

We’re excited to bring Transform 2022 back in person on July 19 and pretty much July 20-28. Join AI and data leaders for insightful conversations and exciting networking opportunities. Register today!

While the joint efforts of Microsoft and a number of security vendors have disrupted a global campaign that used the ZLoader botnet to spread ransomware, the opportunistic attacks are a reminder that ransomware is a societal threat.

Microsoft’s Digital Crimes Unit said on Wednesday it recently obtained a court order in Georgia allowing it to remove 65 domains that use the ZLoader group. Other participants in the effort – who also used technical means to disrupt ZLoader – included ESET; Lumen’s Threat Intelligence Unit, Black Lotus Labs; and the Unit 42 division of Palo Alto Networks.

Researchers at Microsoft said the ZLoader attacks largely targeted the US, Western Europe, China and Japan.

Although ZLoader was originally deployed as a banking trojan, the malware “is notable for its ability to evolve,” the Microsoft researchers said in a blog post. And with this latest campaign, the botnet has evolved to distribute ransomware payloads, the researchers said.

The attacks also appear to have been more opportunistic than many of the hitherto known ransomware attacks, which often targeted specific organizations.

“Zloader affiliates used various techniques to expand their botnets, such as sending spam emails containing malicious documents or abusing Google Ads to redirect visitors to malicious websites that offer the malware,” said Alexis Dorais-Joncas , security intelligence team leader at ESET, in an email. †

In addition to exploited Google ads, emails about COVID-19 (with malicious Microsoft Word attachments) and fake invoice emails with malicious XLS macros were also used in the ZLoader campaign, according to ESET researchers.

“The affiliates can then decide to deploy additional malware on the infected systems under their control, such as ransomware,” Dorais-Joncas said.

Evolving threat

The fact that ZLoader has evolved to be used in the deployment of ransomware represents “a wake-up call about how ransomware will continue to evolve,” said Joseph Carson, chief security scientist and advisory CISO at Delinea, a privileged provider of access management.

“This means that rather than targeting ransomware victims, it makes ransomware more opportunistic — putting more individuals and small businesses at greater risk of becoming ransomware victims,” ​​Carson said in an email.

Switching the use of ZLoader from stealing credentials and sensitive data to distributing ransomware would “probably lead to more individuals and small businesses falling victim to ransomware by visiting the wrong domain or clicking the wrong link” , he said.

The evolution reminds us that “everyone is now the target of ransomware criminals,” Carson said. “We should no longer prioritize ransomware as the biggest threat to organizations, but as one of the biggest threats to society.”

A lucrative business

Davis McCarthy, principal security researcher at Valtix, noted that Emotet has also evolved from a banking Trojan — “it became a powerful polymorphic botnet that evaded removal for years.”

The basis of this evolution of ZLoader is the fact that “ransomware is lucrative. And as more ransomware groups enter the market, the demand for access brokering will grow,” McCarthy said. “As access brokering grows, so will the need for reliable and innovative delivery methods.”

In the past, ZLoader has been linked to ransomware families, including Ryuk, which is notorious for targeting health organizations, Microsoft researchers said.

A particularly notable element of the ZLoader campaign is the presence of customizable options, “which would make one attacker’s use of ZLoader different from another attacker,” said Ben Pick, principal consultant at nVisium. “This makes detection difficult, as a signature-based approach would not be effective.”

Wider net

Ultimately, “trojans increase their capabilities to cast a wider network of potential victims or avoid detection,” Pick said. “To me, this means that the threat remains and the trojan will continue to evolve, as long as it is profitable for malicious actors.”

John Bambenek, principal threat hunter at Netenrich, noted that early in the history of ransomware, many ransomware authors tried to spread their own malware. However, they soon found that it was best to focus on creating solid ransomware — and allowing those adept at compromising systems in bulk to focus on that, Bambenek said.

“The result is an efficient and relentless ecosystem for chasing victims in a way that maximizes profits for both groups,” he said.

Modern ransomware, Bambenek said, is a complicated undertaking that requires different expertise. And at this point, he said, “the criminals have come up with that to streamline their time and efficiency to get paid.”

VentureBeat’s mission is to be a digital city square for tech decision makers to learn about transformative business technology and transactions. Learn more about membership.

This post ZLoader botnet campaign ‘a wake-up call’ on how ransomware could evolve

was original published at “https://venturebeat.com/2022/04/14/zloader-botnet-campaign-a-wakeup-call-on-how-ransomware-can-evolve/”