Microsoft dismantles ZLoader botnet

Microsoft and ESET security teams explained how they were able to identify and dismantle the command and control infrastructure of the notorious ZLoader malware network.

Microsoft put a stop to the notorious ZLoader botnet with a series of server takedowns.

The software giant Wednesday said that its Digital Crimes Unit (DCU) partnered with local service providers and other security vendors to identify and remove the server networks that were being used by the ZLoader crew to control the millions of systems its malware had infected.

By taking out the command and control infrastructure, Microsoft has dealt a major blow to a long-running malware operation whose activities ranged from bank fraud and account theft to large-scale ransomware campaigns. Amy Hogan-Burney, general manager of Microsoft's DCU, said the company's investigation revealed one of the alleged creators of a ZLoader component that distributes ransomware: Denis Malikov of Simferopol, Crimea.

"We chose to name an individual in connection with this case to make clear that cybercriminals will not be allowed to hide behind the anonymity of the internet to commit their crimes," Hogan-Burney wrote in a blog post. "Today's legal action is the result of months of investigation that pre-date the current conflict in the region."

According to Microsoft, ZLoader's versatility was a key reason to target the botnet for a takedown. By wiping out the malware's control structure, the DCU believed it would be able to make an impact across a number of cybercrime sectors.

"ZLoader campaign operators evolved the malware from a basic banking trojan to a more sophisticated piece of malware capable of monetizing compromised devices by selling access to other affiliate groups," Microsoft's threat intelligence team said in a blog post. "By leveraging and misusing legitimate tools like Cobalt Strike and Splashtop, affiliates gain hands-on-keyboard access to affected devices, which can be further misused for other malicious activities like credential theft or downloading additional payloads, including ransomware."

The malware itself is believed to be derived from the notorious Zeus banking Trojan. It was largely spread to PCs by way of poisoned digital ads or, in its earlier days, as attachments disguised in phishing emails. Among the more devious methods the hackers used to infect machines was to offer the malware downloader with bogus security certificates.

"The first method ZLoader has used to sign files is by creating fictitious companies," Microsoft explained. "In certain campaigns, the .msi files that are installed on the device after the user visits a malicious ad are signed by a fictitious company created by the operator for the purpose of the campaign."

Once installed, the malware was able to hide its activities by deliberately targeting and disabling popular end-user security tools. From there, the malware would connect back with a command server and, depending on what the cybercriminal wanted to do, would perform anything from account theft to data exfiltration.

Rather than try to wipe out the malware from individual systems, Microsoft opted to target the command structure of the botnet. To that extent, the researchers had to investigate hundreds of different domains that the criminal hackers were using to relay commands to infected machines.

Security firm ESET, which also assisted with the takedown effort, reported that its team alone identified more than 380 different domains that had been registered by ZLoader operators.

"Zloader bots rely on a backup communication channel that automatically generates unique domain names that can be used to receive commands from their botmasters," ESET explained. "This technique, known as a domain generation algorithm (DGA), is used to generate 32 different domains per day, per botnet."

Microsoft said Palo Alto Networks and Black Lotus Labs, the threat intelligence arm of telecom company Lumen, also assisted with the takedown operation.

While the ZLoader command and control network has been dismantled, both administrators and end users should check that their antimalware tools are installed and running, and then scan their machines for any possible infection. Researchers believe ZLoader infections are largely concentrated in North America, Western Europe, Japan and China.

Dig Deeper on Threat detection and response