Security Experts:

Microsoft Seizes Control of Notorious Zloader Cybercrime Botnet

Microsoft has disrupted the operation of one of the most notorious cybercrime botnets and named a Crimean hacker as an alleged perpetrator behind the distribution of ransomware to the network of infected machines.

Redmond’s Digital Crimes Unit (DCU) said it seized control of 65 domains used to remotely control the Zloader botnet, effectively disabling the crimeware gang’s command-and-control mechanism.   

The company also identified Denis Malikov, who lives in the city of Simferopol on the Crimean Peninsula, as “one of the perpetrators” behind the creation of a component used in the ZLoader botnet to distribute ransomware.

The Zloader botnet has been a thorn in Microsoft’s side for many years, infecting Windows-powered computing devices in businesses, hospitals, schools, and homes around the world.  The gang behind the botnet runs a malware-as-a-service operation designed to steal and extort money.

[ READ: Zloader Banking Malware Exploits Microsoft Signature Verification ]

Microsoft said it obtained a court order from the United States District Court for the Northern District of Georgia to take control of 65 domains that the ZLoader gang has been using to grow, control and communicate with its botnet. The domains are being redirected to a Microsoft sinkhole, meaning they can no longer be used by the botnet’s criminal operators.   

According to a note from Microsoft DCU general manager Amy Hogan-Burney, the company will also seize an additional 319 domains that are automatically generated and embedded within the malware.

Hogan-Burney said Microsoft’s DCU led an investigation with help from anti-malware vendor ESET, Black Lotus Labs (the threat intelligence arm of Lumen), and Palo Alto Networks Unit 42.

She said the company decided to name Malikov as an alleged perpetrator “to make clear that cybercriminals will not be allowed to hide behind the anonymity of the internet to commit their crimes.” 

[ READ: Microsoft Patches 128 Windows Flaws, New Zero-Day Reported by NSA ]

“Our disruption is intended to disable ZLoader’s infrastructure and make it more difficult for this organized criminal gang to continue their activities,” Hogan-Burney said, while acknowledging that the crimeware threat landscape is a cat-and-mouse game with no end.

“We expect the defendants to make efforts to revive Zloader’s operations. We referred this case to law enforcement, are tracking this activity closely and will continue to work with our partners to monitor the behavior of these cybercriminals,” she added. 

The notorious Zloader botnet was originally used for financial theft, stealing account login IDs and passwords but, over time, malware hunters noticed the cybercrime gang using access to the machines to deliver data-extortion ransomware attacks. Microsoft said it linked Zdloader to the Ryuk ransomware operation hitting health care institutions worldwide. 

In a separate technical report, the Microsoft 365 Defender Threat Intelligence Team shared notes on the history of the botnet, which first surfaced in 2007 in connection with the Zeus banking trojan.

“[ZLoader’s] capabilities include capturing screenshots, collecting cookies, stealing credentials and banking data, performing reconnaissance, launching persistence mechanisms, misusing legitimate security tools, and providing remote access to attackers,” the report said.

Microsoft said ZLoader attacks have affected nations around the world, with the majority targeting the U.S., China, Western Europe, and Japan.

Related: Financially Motivated Hackers Use Leaked Conti Ransomware Techniques

Related: Zloader Banking Malware Exploits Microsoft Signature Verification

Related: Microsoft Says Mac Trojan Becoming Stealthier, More Menacing

view counter
Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. Ryan is a veteran cybersecurity strategist who has built security engagement programs at major global brands, including Intel Corp., Bishop Fox and Kaspersky GReAT. He is a co-founder of Threatpost and the global SAS conference series. Ryan's past career as a security journalist included bylines at major technology publications including Ziff Davis eWEEK, CBS Interactive's ZDNet, PCMag and PC World. Ryan is a director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world. Follow Ryan on Twitter @ryanaraine.