Microsoft took responsibility today for leading the disruption of a criminal botnet called ZLoader, which ran a “malware as a service” platform to distribute ransomware. Microsoft went so far as to name an individual it believes is connected to the gang.
Microsoft received a court order from the US District Court for the Northern District of Georgia to take over 65 domains ZLoader controlled and direct them to a virtual sinkhole, according to a blog post Wednesday.
“Our disruption is intended to disable ZLoader’s infrastructure and make it more difficult for this organised criminal gang to continue their activities,” according to Microsoft. “We expect the defendants to make efforts to revive Zloader’s operations. We referred this case to law enforcement, are tracking this activity closely and will continue to work with our partners to monitor the behaviour of these cybercriminals. We will work with internet service providers (ISPs) to identify and remediate victims. As always, we’re ready to take additional legal and technical action to address Zloader and other botnets.”
CRN US has reached out to Microsoft for further information.
Microsoft has been authorized to take over another 319 registered ZLoader domains and is also working to block future registration of ZLoader domains created through a domain generation algorithm (DGA), according to the blog post.
ZLoader disables security and antivirus tools, captures screenshots, collects cookies, steals credentials, steals banking data, performs reconnaissance, provides attackers remote access and other malicious actions. It uses tools such as Cobalt Strike and Splashtop to gain hands-on-keyboard access to affected devices, according to a separate Microsoft blog post.
Although ZLoader started to steal account login identifications, passwords and other information with the purpose of taking money from people’s accounts, over time it has started its “malware as a service” offering, which has been linked to Ryuk, DarkSide, BlackMatter and other ransomware infections. DarkSide is the group that targeted Colonial Pipeline and CompuCom last year.
Most ZLoader attacks have targeted the US, China, western Europe and Japan, according to Microsoft. ZLoader operators have delivered the malware though malicious Google Ads.
Microsoft has authored a blog post on how to identify ZLoader campaigns and how to mitigate the threats.
“Due to the modular nature of some of ZLoader’s capabilities and its constant shifts in techniques, different ZLoader campaigns may look nothing alike,” according to Microsoft. “Previous campaigns have been fairly simple, with the malware delivered via malicious Office macros attached to emails and then used to deploy modules for capabilities. Other, more recent campaigns are notably complex–injecting malicious code into legitimate processes, disabling antivirus solutions, and ultimately culminating in ransomware.”
The ZLoader botnet – which refers to a network of computers infected with malware and controlled for nefarious purposes – is controlled by a global internet-based organized crime gang and infected computing devices in schools, hospitals, homes and businesses worldwide, according to Microsoft.
Microsoft also credited ESET, Black Lotus Labs – the threat intelligence arm of Lumen – and Palo Alto Networks Unit 42 with data and insights to strengthen its legal case against the gang.
In Microsoft’s blog post, the company named an individual allegedly involved with the botnet. The individual lives in Simferopol in Crimea, an area under dispute between Russia and Ukraine. Microsoft’s investigation started before the Russian invasion of Ukraine.
CRN US has chosen not to identify the individual because they have not been charged with a crime.
“We chose to name an individual in connection with this case to make clear that cybercriminals will not be allowed to hide behind the anonymity of the internet to commit their crimes,” according to Microsoft.
Earlier this month, Microsoft took credit for disrupting cyberattacks this week conducted by an attacker connected with Russia and aimed at organisations in Ukraine, the United States and European Union.