Microsoft has taken yet another action against cybercriminals, this time to dismantle the ZLoader botnet infrastructure. The ZLoader malware infected thousands of organizations primarily in the US, Canada, and India. He is known for distributing Conti ransomware.
Microsoft has now received a court order from the US District Court for the Northern District of Georgia, allowing it to seize 65 domains that the ZLoader gang was using command and control (C&C) for their botnet , which is created with malware that infects businesses, hospitals. school and home.
These domains now point to a Microsoft location outside the control of the ZLoader gang.
Microsoft also gained control of the domains that ZLoader used for its domain generation algorithm (DGA), which is used to automatically create new domains for the botnet’s C2.
Zloader contains a domain generation algorithm (DGA) built into the malware that creates additional domains as an alternative or backup communication channel for the botnet. In addition to encrypted domains, the court order allows us to control over 319 currently registered. We are also working to block future registrations of DGA domains, Amy Hogan-Burney, general manager of Microsoft’s Digital Crime Unit, said,
Microsoft intercepts ransomware-spreading botnet
Microsoft leads the action against ZLoader in partnership with researchers ESET, lumen‘s Black Lotus Labs And Palo Alto Network Unit 42, Avast also helped with the European investigation of Microsoft’s DCU. According to ESET, Zloader had approximately 14,000 unique samples and over 1,300 unique C&C servers.
Microsoft acknowledges that ZLoader is not finished and is also working with ISPs to identify and remove infections on infected systems. The matter is also referred to law enforcement.
Microsoft used a similar techno-legal approach to take down the TrickBot botnet in 2020.
Microsoft, in ZLoader Technical Analysis, notes that the group used Google Ads to distribute Ryuk ransomware, allowing it to bypass email security and appear in browsers. Malicious ads and emails were their main delivery mechanism. Each campaign represents well-known technology brands including Java, Zoom, Teamviewer and Discord.
“Actors will purchase Google Ads for key terms associated with these products, such as”video conference with zoom “. explains Microsoft.
For email delivery, the group often used Microsoft Office attachments and misused macros to infect machines. The lure of victims opening a document and enabling macros included COVID-19 alerts, late bill payments and fake resumes.
However, that might not be the end of the story yet. “The purpose of our outage is to disable ZLoader’s infrastructure and make it more difficult for this gang of organized criminals to continue their activities. We expect defendants to make efforts to revive ZLoader operations,” Microsoft said.