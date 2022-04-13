The Microsoft Digital Crimes Unit (DCU) has carried out an operation together with ESET, Black Lotus Labs and Unit 42 of Palo Alto Networks that has resulted in the dismantling of a botnet called ZLoader. The malware that gave the network its name began life as a Zeus-inspired banking Trojan, but evolved into a distributor ofthat during the last three years has attacked companies, hospitals, schools and private users.

The operation carried out by Microsoft and its partners has consisted of seizing, through a court order, the domains of three botnets or botnets, each of which used a different version of the Zloader malware. A total of 65 domains were identified that the criminal group used to grow, control and communicate with its botnet. These domains have been redirected to a sink hole from Microsoft. In this way, the already installed malware is prevented from acting and being able to continue being used by cybercriminals.

Zloader bots are also supported by a backup communication channel that automatically generates unique domain names that can be used to receive commands from their handler. This technique, known as the domain generation algorithm (DGA), generates 32 different domains per day per botnet. Microsoft has been able to take control of another 319 currently registered DGA domains and is working on blocking a foreseeable future registration of domains generated by the algorithm.

“Microsoft’s activities are aimed at disrupting the ZLoader infrastructure and making it difficult for this organized crime group to continue their activities,” the company says in a statement. In addition, on this occasion the American technology company has publicly identified one of those responsible for creating a component used in the ZLoader botnet to distribute ransomware. This is Denis Malikov, a man who lives in the city of Simferopol, on the Crimean peninsula.

“At first, the main objective of ZLoader was financial theft […]”, explains Microsoft. “ZLoader included a component that disabled popular antivirus and security software, thereby preventing victims from detecting the infection. Over time, cybercriminals began using the malware-as-a-service technique to distribute dangerous ransomware such as Ryuk, known to target healthcare institutions in order to extort money from them […]”. ZLoader also took advantage of Microsoft’s digital signature verification to steal sensitive information from victims.

That the ZLoader network has been dismantled does not mean that the malware is gone or that the danger has passed. For this reason it is always recommended to have all the software updated and not to install anything suspicious.