This article is more than 1 year old

Microsoft-led move takes down ZLoader botnet domains

That should keep the criminals offline for, well, weeks probably

Microsoft has announced a months-long effort to take control of 65 domains that the ZLoader criminal botnet gang has been using to spread the remote-control malware and orchestrate infected machines.

The tech giant's Digital Crimes Unit obtained a court order from a US federal judge in Georgia to take down the domains, which are now directed to a Microsoft-controlled sinkhole so they can't be used by the malware's masterminds to communicate with their botnet of commandeered Windows computers.

From what we can tell from the filings submitted by Microsoft to the courts, its justification for the seizure is that ZLoader used the domains to injure the Windows giant as well as residents of the US state and commit computer fraud, infringement of Microsoft trademarks, and other illegal activity. The trademark infringement being that at least one of the domains was used for a website that featured Microsoft trademarks in an attempt to masquerade as a legit Redmond site, and also references in phishing emails to Microsoft-trademarked programs, such as Excel.

The case documents go into ZLoader's operations and design in quite some detail, if that's of interest or use to you.

In addition to the 65 hardcoded domains, the court order also allowed Microsoft to take control of an additional 319 registered domains that the botnet uses as a backup communication channel. These non-hardcoded domains are generated by an algorithm, and Microsoft said it's working to block future registration of these code-defined domains.

Its investigation also tied the ZLoader botnet allegedly to Denis Malikov, who lives in Simferopol on the Crimean Peninsula, which was annexed by Russia from Ukraine in 2014. According to Microsoft, he is one of the creators of a component that the botnet uses to distribute ransomware, and is identified in the aforementioned court paperwork. 

"We chose to name an individual in connection with this case to make clear that cybercriminals will not be allowed to hide behind the anonymity of the internet to commit their crimes," wrote Amy Hogan-Burney, general manager of Microsoft's Digital Crimes Unit.

From banking trojan to ransomware

ZLoader is a variant of the Zeus banking trojan that has been around for at least 15 years. While its earlier use was primarily to steal account login IDs and passwords for financial theft, it has evolved over the years and added new capabilities. 

These include defense, like disabling security and antivirus tools to evade detection, and offensive capabilities such as "capturing screenshots, collecting cookies, stealing credentials and banking data, performing reconnaissance, launching persistence mechanisms, misusing legitimate security tools, and providing remote access to attackers," according to the Microsoft's 365 Defender Threat Intelligence Team. 

Microsoft was keen to stress this was a cooperative effort, with security shops ESET, Lumen's threat-intel arm Black Lotus Labs, Palo Alto Networks' Unit 42's team and Avast Threat Labs helping out. It also thanked the Financial Services Information Sharing and Analysis Centers (FS-ISAC) and the Health Information Sharing and Analysis Center (H-ISAC) for "additional data and insights."

While the newly announced operation will have severely inconvenienced the botnet's operators, based on past experience they'll be back. In October 2020 Microsoft launched a similar operation against the Trickbot network, but it was back up and running within two weeks, the US Cybersecurity and Infrastructure Security Agency warned in an advisory. ZLoader is likely to be revived soon as well, since it has proven very popular so far and there's a lot of money to be made.

ZLoader is also sold on underground forums along with other types of commodity malware. "When purchased, affiliates are given all they need to set up their own servers with administration panels and to start building their bots," security firm ESET explained. "Affiliates are then responsible for bot distribution and maintaining their botnets."

More recently, the malware has been linked to ransomware gangs Ryuk, DarkSide and BlackMatter. ZLoader has also moved away from using email as an initial vector and instead turned toward ads on search engines that trick users into visiting malicious websites, the Microsoft Defender team added.

These campaigns look like a legitimate company or product such as Java, TeamViewer, Zoom, and Discord. "For the delivery stage of the attack, the actors would purchase Google Ads for key terms associated with those products, such as 'zoom videoconference,' the threat intel group explained. 

Of course, clicking on these phony ads then directs users to a malicious domain, which allows the botnets to infect the device and start using it to communicate with ZLoader servers. ®

More about


Send us news

Other stories you might like