Microsoft, ESET take down ZLoader botnets

News
By Sead Fadilpašić
published

65 command-and-control (C2) domains were seized by the company

Microsoft logo outside building
(Image credit: gguy / Shutterstock)

Cybersecurity EXPERTS from Microsoft, ESET, Lumen, Palo Alto Networks, and other companies, have teamed up to disrupt a major malware distribution botnet. 

In a blog post, Microsoft 365 Defender Threat Intelligence Team said the group managed to disrupt the ZLoader malware, used all over the globe to launch ransomware and similar cyberattacks.

After obtaining a court order, the company seized 65 command-and-control (C2) domains that the ZLoader group used in its activities. 

Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022end of this survey

Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022. Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey to get the bookazine, worth $10.99/£10.99.

Blocking future registration

“The domains are now directed to a Microsoft sinkhole where they can no longer be used by the botnet’s criminal operators. Zloader contains a domain generation algorithm (DGA) embedded within the malware that creates additional domains as a fallback or backup communication channel for the botnet,” Microsoft explained.

“In addition to the hardcoded domains, the court order allows us to take control of an additional 319 currently registered DGA domains. We are also working to block the future registration of DGA domains.”

The bad news is that this is, most likely, just a temporary disruption, as ZLoader is known as a mighty persistent malware.  

Read more

> Zloader malware makes a sudden resurgence

> Nasty malware abuses Microsoft e-signature service to steal your passwords

> Qbot malware found smuggled inside Windows Installer packages

When it first emerged, some three years ago, ZLoader was a banking trojan, giving its operators the ability to steal login credentials and other data needed to access banking services on the compromised endpoint. It was also capable of disabling popular antivirus software, remaining on devices for much longer than other trojans, at the time. 

Soon after, its creators started offering it as a service, with ransomware operators becoming the most common clients. In its report, Forbes reminds that it was the infamous Ryuk ransomware that utilized ZLoader’s infrastructure to launch attacks that resulted in tens of millions of dollars in damages. 

Microsoft also said that one Denis Malikov, from Crimea, was one of the ZLoader’s creators. 

“We chose to name an individual in connection with this case to make clear that cybercriminals will not be allowed to hide behind the anonymity of the internet to commit their crimes,” Forbes cited Microsoft saying.

Sead Fadilpašić
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.