Microsoft Sinkholes Notorious ZLoader Botnet

Share this article on:

The notorious ZLoader cybercrime botnet, which was used to deliver Ryuk ransomware in attacks on healthcare providers, has been disabled by Microsoft’s Digital Crimes Unit (DCU). Microsoft recently obtained a court order from the United States District Court for the Northern District of Georgia authorizing the seizure of 65 hard-coded domains used by the ZLoader botnet for command-and-control communications. Those domains have now been sinkholed, preventing the operator of the botnet from communicating with devices infected with ZLoader malware.

ZLoader malware included a domain generation algorithm (DGA) which is triggered if communication with the hard-coded domains is not possible, which serves as a failsafe against any takedown efforts. The court order also allowed Microsoft to seize 319 DGA-registered domains. Microsoft is working to block the registration of any future DGA domains.

ZLoader is part of a family of malware variants that descended from the ZeuS banking Trojan. Initially, ZeuS was used for credential and financial theft, with the aim of transferring money out of victims’ financial accounts. The threat actor behind the malware then established a malware-as-a-service operation to deliver malware and ransomware for other threat actors such as Ryuk.

Ryuk ransomware has been extensively used in attacks on the healthcare industry since its emergence in 2018, and ZLoader was one of the ways the ransomware was delivered. ZLoader is capable of disabling a popular antivirus solution to evade detection, and the malware has been installed on thousands of devices, many of which are in education and healthcare.

The takedown of the botnet is significant; however, the operators of the botnet are likely already working to set up new command and control infrastructure. Microsoft said the takedown has been a success and resulted in the temporary disabling of the ZLoader infrastructure, which has made it more difficult for the organized criminal gang to continue with its malicious activities.

“We referred this case to law enforcement, who are tracking this activity closely and will continue to work with our partners to monitor the behavior of these cybercriminals. We will work with internet service providers to identify and remediate victims,” said Microsoft. Microsoft also confirmed that it is prepared to take further legal action and implement technical measures to deal with ZLoader and other botnets.

Microsoft also named an individual who is believed to be responsible for developing a component of the malware that was used for delivering ransomware – Denis Malikov, who resides in Simferopol on the Crimean Peninsula. “We chose to name an individual in connection with this case to make clear that cybercriminals will not be allowed to hide behind the anonymity of the internet to commit their crimes.”

Microsoft said it was assisted with its investigation of the ZLoader operation by the cybersecurity firm ESET, Palo Alto Networks’ Unit 42, team, and Black Lotus Labs, and was provided with additional insights from the Financial Services Information Sharing and Analysis Centers (FS-ISAC), the Health Information Sharing and Analysis Center (H-ISAC), the Microsoft Threat Intelligence Center, and the Microsoft Defender Team.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.

Share This Post On