Tech News

How is Zloader, the botnet created to carry out financial theft

Zloader is a malicious program that is distributed through infected web pages. Users can be affected by infected emails or advertisements. The goal of this malware is to steal banking credentials as well as other sensitive user information.


Yes ok Zloader started out as a trojan bank, came to distribute different types of malware, including ransomwarewhich encrypts and makes inaccessible files, documents and other items that may be hosted on the infected computer.

To maximize its reach, Zloader is distributed through botnets, that is, networks of infected computers that end up affecting other new computers and thus the infection network grows.


Now Microsoft announced that, through its Digital Crimes Unit (DCU), took legal and technical steps to disrupt the Zloader botnet.

This botnet is made up of computing devices in businesses, hospitals, schools, and homes around the world. Furthermore, it is run by a global Internet-based organized crime gang that operates malware as a service, designed to steal and extort money.


Thanks to obtaining the court order, the company managed to get the domains now directed to a Microsoft sinkhole where they can no longer be used by criminal botnet operators.

Zloader contains a Domain Generation Algorithm (“DGA”) embedded in the malware which creates additional domains as an alternate or backup communication channel for the botnet. In addition to the encrypted domains, the court order allows the seizure of 319 currently registered DGA domains. In turn, work is already underway to block future registration of DGA domains.

During the investigation, one of the criminals behind the creation of a component used in the ZLoader botnet to distribute ransomware was identified. named Denis Malikov, from Simferopol on the Crimean peninsula.


It was chosen to name a person in connection with this case to make it clear that cybercriminals will not be allowed to hide behind the anonymity of the Internet to commit their crimes, according to the company.

Initially, the main purpose of Zloader was financial theft, stealing login IDs, passwords and other information to get money of people’s accounts.

Zloader also includes a component that disables popular antivirus and security software, to prevent victims from detecting the Zloader infection.

Over time, those behind this botent began offering malware as a service, a delivery platform for distributing ransomware, including Ryuk, which is known to target healthcare institutions.

To carry out the investigation that allowed this system to be disrupted, Microsoft worked together with Eset, Black Lotus Labs (the threat intelligence arm of Lumen), and Unit 42 of Palo Alto Networks.

It also had additional data and information to strengthen the legal case of the partners Financial Services Information Sharing and Analysis Centers (FS-ISAC, for its acronym in English) and the Health Information Exchange and Analysis Center (H-ISAC, for its acronym in English). It also had the support of Avast in Europe.

Safety measures

This malware was distributed through advertisements or messages on pages indicating that it was necessary to download a supposed update that contained the malicious code. Hence Always, before downloading any file, application or updates, make sure you are on the official page of the site in question.

Always keeping all devices up to date is very important because they contain security patches. It is also key to be informed about the attack modes of cybercriminals to avoid falling into their networks and take the precautions recommended by security experts.


Back to top button