Microsoft’s Digital Crimes Unit (DCU) has taken control of 65 domains that were being used as the command-and-control mechanism for the ZLoader botnet. The botnet consisted of Windows devices infected with malware from the ZeuS family, such as Zloader and Zbot.
Originally, Zloader malware was used for financial theft, credential theft, and stealing money from personal accounts; however, the threat actors behind the malware started using the infected devices for a malware-as-a-service operation to steal and extort money, such as by delivering ransomware such as Ryuk. The botnet consisted of large numbers of personal and corporate devices, including many in education and healthcare. The malware included a component capable of disabling a popular antivirus solution to ensure the malware was not detected.
Microsoft said it obtained a court order from the United States District Court for the Northern District of Georgia that allowed its DCU team to take control of the domains, which have now been directed to a sinkhole so they can no longer be used to control the infected devices. In addition to the 65 domains that were used to communicate with infected devices and grow the botnet, Microsoft said the court order also allowed DCU to take control of a further 319 registered domains, which served as a failsafe should the hard-coded domains be seized. Zloader malware includes a Domain Generating Algorithm (DGA) that creates additional domains as a backup for communication should communication with the hard-coded domains fail. Steps are also being taken to prevent the registration of additional DGA domains.
The takedown followed an investigation led by Microsoft’s DCU, with assistance provided by ESET, Black Lotus Labs, and Palo Alto Networks’ Unit 42 team. The investigation also identified an individual who was one of the perpetrators behind a component of the malware that was used to deliver ransomware. That individual was named as Denis Malikov, who is based in Simferopol in the Crimean Peninsula. “We chose to name an individual in connection with this case to make clear that cybercriminals will not be allowed to hide behind the anonymity of the internet to commit their crimes,” said Amy Hogan-Burney, General Manager of Microsoft’s DCU.
Microsoft is aware that this may only be a temporary disruption of the botnet. The operators are likely to attempt to regain control of the botnet. “Our disruption is intended to disable ZLoader’s infrastructure and make it more difficult for this organized criminal gang to continue their activities,” said Hogan-Burney. “We expect the defendants to make efforts to revive Zloader’s operations. We referred this case to law enforcement, are tracking this activity closely and will continue to work with our partners to monitor the behavior of these cybercriminals.”