Microsoft: We've just disrupted this ransomware-spreading botnet

Microsoft takes control of ZLoader's botnet infrastructure, which is used to spread malware and ransomware.
Written by Liam Tung, Contributing Writer

Microsoft has carried out another legal-technical takedown against cyber criminals, this time to dismantle the ZLoader botnet's infrastructure.

ZLoader malware has infected thousands of organizations, mostly in the US, Canada and India, and is known to have distributed the Conti ransomware.      

Microsoft has now received a court order from the US District Court for the Northern District of Georgia that allowed it to seize 65 domains the ZLoader gang had been using for command and control (C&C) for its botnet built from malware that infected businesses, hospitals, schools, and homes.

SEE: Clueless hackers spent months inside a network and nobody noticed. But then a ransomware gang turned up

Those domains now direct to a Microsoft sinkhole, outside of the control of the ZLoader gang. 

Microsoft also gained control over the domains ZLoader used for its domain generation algorithm (DGA), which are used to automatically create new domains for the botnet's C2.

"Zloader contains a domain generation algorithm (DGA) embedded within the malware that creates additional domains as a fallback or backup communication channel for the botnet. In addition to the hardcoded domains, the court order allows us to take control of an additional 319 currently registered DGA domains. We are also working to block the future registration of DGA domains," said Amy Hogan-Burney, general manager of Microsoft's Digital Crimes Unit

Microsoft led the action against ZLoader in partnership with researchers from ESET, Lumen's Black Lotus Labs, and Palo Alto Networks Unit 42. Avast also assisted in Microsoft's DCU European investigation. According to ESET, Zloader had about 14,000 unique samples and more than 1,300 unique C&C servers.

Microsoft acknowledges ZLoader is not finished and is also working with ISPs to identify and remediate infections on infected systems. It's also referred the case to law enforcement. 

Microsoft in 2020 used a similar legal-technical approach to taking down the Trickbot botnet.  

Microsoft in its technical analysis of ZLoader notes that the group used Google Ads to distribute Ryuk ransomware, allowing it to bypass email security and have it appear in the browser instead. Malicious ads and email were its primary delivery mechanisms. Each campaign impersonated known tech brands, including Java, Zoom, TeamViewer, and Discord.   

"The actors would purchase Google Ads for key terms associated with those products, such as "zoom videoconference." Users who performed Google searches for those terms during a specific time would be presented with an advertisement that led to the form grabbing malicious domains," Microsoft explains. 

For email delivery, the group often used Microsoft Office attachments and abused macros to infect machines. The lures to trick victims into opening a document and enable macros included COVID-19 alerts, overdue invoice payments and fake resumes.  

It is probably not the end of the story yet, though. "Our disruption is intended to disable ZLoader's infrastructure and make it more difficult for this organized criminal gang to continue their activities. We expect the defendants to make efforts to revive ZLoader's operations," Microsoft said.

Editorial standards