1 min

Microsoft takes control of ZLoader botnet infrastructure

Microsoft has announced that it has carried out a major offensive against the ZLoader botnet and take control of the domains it was using.

The ZLoader malware had infected thousands of individuals and organisations (companies, hospitals, schools, etc.)—particularly in the United States, Canada, and India—and had been used to distribute ransomware such as Conti.

After a lengthy investigation, with assistance provided by ESET, Lumen, Black Lotus Labs, Palo Alto Networks Unit 42, and Avast, Microsoft obtained a U.S. court order to take control of 65 domains used by ZLoader for its botnet C&C, as well as domains from its domain generation algorithm (DGA).

“Zloader contains a domain generation algorithm (DGA) embedded within the malware that creates additional domains as a fallback or backup communication channel for the botnet. In addition to the hardcoded domains, the court order allows us to take control of an additional 319 currently registered DGA domains. We are also working to block the future registration of DGA domains,” said Amy Hogan-Burney, General Manager of Microsoft’s Digital Crimes Unit.

All of these domains are now directed to a sinkhole controlled by Microsoft. ZLoader had a total of 14,000 unique samples and over 1,300 unique control servers.

The investigation revealed that the group had used Google Ads to distribute the Ryuk ransomware (via fake ad campaigns for Java, Zoom, TeamViewer, or Discord that lead to malicious domains), as well as fraudulent emails, often with infected Microsoft Office attachments.

However, ZLoader has not been completely dismantled, and its members could soon reactivate the botnet. Microsoft has also referred the case to law enforcement.

Send this to a friend