Microsoft uses court order to disrupt ZLoader botnet

Microsoft announced on Wednesday that it used a court order to shut down a criminal botnet called ZLoader. 

The tech giant said in a blog post that its Digital Crimes Unit got a court order from the United States District Court for the Northern District of Georgia that allowed it to take over 65 domains used by the actors behind ZLoader to run the botnet. 

Microsoft said the botnet includes devices at schools, hospitals, businesses and homes across the world. The gang behind ZLoader uses it to operate a “malware as a service that is designed to steal and extort money.”

“The domains are now directed to a Microsoft sinkhole where they can no longer be used by the botnet’s criminal operators. ZLoader contains a domain generation algorithm (DGA) embedded within the malware that creates additional domains as a fallback or backup communication channel for the botnet,” Microsoft explained.  

“In addition to the hardcoded domains, the court order allows us to take control of an additional 319 currently registered DGA domains. We are also working to block the future registration of DGA domains.”

Microsoft was able to tie the ZLoader botnet to Denis Malikov, who they said lives in Simferopol on the Crimean Peninsula. According to their investigation, Malikov created a component used in the ZLoader botnet to distribute ransomware. 

Microsoft worked on the investigation alongside researchers at ESET, Lumen’s Black Lotus Labs, Palo Alto Networks Unit 42, Avast, the Financial Services Information Sharing and Analysis Centers and the Health Information Sharing and Analysis Center.

Their analysis showed that in addition to stealing bank account information like login IDs and passwords, ZLoader was able to disable popular security and antivirus software, which kept it hidden on compromised devices. 

They noted that eventually, the botnet evolved into a delivery platform for the Ryuk ransomware.

Microsoft says it has referred the case to law enforcement but noted that the gang behind the botnet will likely attempt to revive it. 

ESET said in its own blog post that ZLoader is one of many banking trojan malware families inspired by the Zeus banking trojan, which had its source code leaked in 2011.

ESET explained that it has seen ZLoader “infestations and campaigns” across North America, Europe and Japan. 

“As ZLoader is available in underground forums, ESET Researchers will monitor any new activity tied to this malware family, following this disruption operation against its existing botnets,” ESET added.