Alienvault OTX: Notorious cybercrime gang’s botnet (ZLoader) disrupted

 CREATED 18 HOURS AGO 
MODIFIED 18 HOURS AGO by AlienVault
Public 
TLP:  White
Today, we’re announcing that Microsoft’s Digital Crimes Unit (DCU) has taken legal and technical action to disrupt a criminal botnet called ZLoader. ZLoader is made up of computing devices in businesses, hospitals, schools, and homes around the world and is run by a global internet-based organized crime gang operating malware as a service that is designed to steal and extort money.
REFERENCES:
https://decoded.avast.io/vladimirmartyanov/zloader-the-silent-night/
https://blogs.microsoft.com/on-the-issues/2022/04/13/zloader-botnet-disrupted-malware-ukraine/
https://www.welivesecurity.com/2022/04/13/eset-takes-part-global-operation-disrupt-zloader-botnets/
TAGS:
zloader, ursnif, raccoon, zloader 2
INDUSTRIES:
Cryptocurrency, Insurance, Banks, Financial
TARGETED COUNTRY:
Philippines
MALWARE FAMILIES:
Zloader, Ursnif, Raccoon, Zloader 2
ATT&CK IDS:
T1555.003 - Credentials from Web Browsers, T1557 - Man-in-the-Middle, T1518.001 - Security Software Discovery, T1047 - Windows Management Instrumentation, T1059.003 - Windows Command Shell, T1588.001 - Malware, T1539 - Steal Web Session Cookie, T1482 - Domain Trust Discovery, T1012 - Query Registry, T1587.001 - Malware, T1008 - Fallback Channels, T1055.001 - Dynamic-link Library Injection, T1036.001 - Invalid Code Signature, T1490 - Inhibit System Recovery, T1547.001 - Registry Run Keys / Startup Folder, T1588.002 - Tool, T1204.002 - Malicious File, T1204.001 - Malicious Link, T1074.001 - Local Data Staging, T1573.001 - Symmetric Cryptography, T1588.006 - Vulnerabilities, T1106 - Native API, T1056.001 - Keylogging, T1548.002 - Bypass User Account Control, T1587.003 - Digital Certificates, T1553.004 - Install Root Certificate, T1005 - Data from Local System, T1562.001 - Disable or Modify Tools, T1529 - System Shutdown/Reboot, T1059.005 - Visual Basic, T1041 - Exfiltration Over C2 Channel, T1189 - Drive-by Compromise, T1219 - Remote Access Software, T1027.002 - Software Packing, T1140 - Deobfuscate/Decode Files or Information, T1587.002 - Code Signing Certificates, T1583.004 - Server, T1124 - System Time Discovery, T1071.001 - Web Protocols, T1082 - System Information Discovery, T1016 - System Network Configuration Discovery, T1033 - System Owner/User Discovery, T1070.004 - File Deletion, T1584.004 - Server, T1083 - File and Directory Discovery, T1560.003 - Archive via Custom Method, T1059.001 - PowerShell, T1113 - Screen Capture, T1568.002 - Domain Generation Algorithms, T1036.005 - Match Legitimate Name or Location, T1057 - Process Discovery, T1489 - Service Stop