Microsoft has announced today that it has disrupted a major criminal botnet called ZLoader. Our readers may remember that this is also one of the botnets using XLM macros as an attack surface. Microsoft"s latest actions include technical and legal activities to damage the operations of the criminal group leveraging ZLoader as malware-as-a-service.
More interestingly, the Redmond tech giant has also explicitly named and shamed one of the criminals who developed a component that is used by ZLoader to distribute ransomware. The person in question is Denis Malikov of Simferopol on the Crimean Peninsula. This identity was revealed during Microsoft"s investigation and the company believes that publicly disclosing it will send a clear message to other criminals that they can"t hide behind masks of digital anonymity.
Microsoft has also procured a court order to take control of 65 domains that the criminal gang is using to grow its botnet. The botnet usually consists of infected PCs belonging to hospitals, schools, homes, and businesses globally. The tech firm says:
The domains are now directed to a Microsoft sinkhole where they can no longer be used by the botnet’s criminal operators. Zloader contains a domain generation algorithm (DGA) embedded within the malware that creates additional domains as a fallback or backup communication channel for the botnet. In addition to the hardcoded domains, the court order allows us to take control of an additional 319 currently registered DGA domains. We are also working to block the future registration of DGA domains.
Microsoft"s General Manager for the Digital Crimes Unit (DCU) Amy Hogan-Burney says that ZLoader"s original goal was financial and credential theft. However, now it also sells malware-as-a-service to distribute ransomware such as Ryuk, which targets healthcare institutions.
DCU has praised the support of several other companies and groups including ESET, Black Lotus Labs, Palo Alto Networks Unit 42, Avast, Microsoft Defender, and Microsoft Threat Intelligence Center in this endeavor.
Microsoft has noted that this is a major disruption but it expects the criminal gang to try and revive the botnet again. However, it will be closely targeting its activities and it hopes that it latest technical and legal actions will deter people involved in this gang.