Microsoft has conducted a new legal-technical operation against cybercriminals, this time to dismantle the ZLoader botnet infrastructure.
The ZLoader malware has infected thousands of organizations, primarily in the United States, Canada and India, and is known to have distributed the Conti ransomware.
Microsoft has obtained a US court order that allowed it to seize 65 domains that the ZLoader Group used for the command and control (C&C) servers of its botnet built from malware that infected companies, hospitals , schools and private appliances.
These domains are now directed to a “sinkhole” controlled by Microsoft, outside the control of the ZLoader group.
Microsoft has also taken control of the domains used by ZLoader through its Domain Generation Algorithm (DGA), which is used to automatically create new domains for the botnet’s control server.
“Zloader uses a domain generation algorithm (DGA) built into the malware that creates additional fallback or backup domains for the botnet. In addition to the hard-coded domains, the court order allows us to take control of 319 other algorithm-generated and registered domains. We are also working to block future registration of DGA domains,” said Amy Hogan-Burney, general manager of Microsoft’s Digital Crimes Unit.
Microsoft led the action against ZLoader in partnership with researchers from ESET, Lumen, Black Lotus Labs, and Palo Alto Networks Unit 42. Avast also participated in Microsoft’s European investigation. According to ESET, Zloader had around 14,000 unique samples and over 1,300 unique control servers.
Microsoft recognizes that ZLoader is not completely taken down and is also working with ISPs to identify and remediate infections on infected systems. The company also referred the matter to law enforcement.
In 2020, Microsoft used a similar approach to take down the Trickbot botnet.
In its technical analysis of ZLoader, Microsoft states that the group used Google Ads to distribute the Ryuk ransomware, which allowed it to appear in the browser. Malicious ads and emails were its primary delivery mechanisms. Each campaign posed as well-known tech companies, including Java, Zoom, TeamViewer, and Discord.
“Actors were buying Google ads for key terms associated with these products, like ‘zoom videoconferencing’. Users who searched Google for these terms over a period of time saw an advertisement that led them to malicious domains,” Microsoft explains.
ZLoader was also distributed through malicious emails. The group often used Microsoft Office attachments and abused macros to infect machines. Messages used to trick victims into opening a document and activating macros included Covid-19 alerts, late bill payment alerts and fake resumes.
But that’s probably not the end of the story yet. “Our action aims to disable ZLoader’s infrastructure and make it more difficult for this organized criminal gang to continue its activities. We expect defendants to make efforts to restart ZLoader’s operations,” Microsoft explains.
Source: ZDNet.com