Dive Brief:
- Microsoft intercepted a criminal botnet called Zloader, which operates a global malware-as-a-service operation that hijacks computers for theft and extortion, including the distribution of Ryuk ransomware, which often targets healthcare organizations, said Amy Hogan-Burney, general manager of Microsoft’s Digital Crimes Unit, in a blog post.
- Microsoft got a court order through the U.S. District Court for the Northern District of Georgia to take control of 65 domains used to control the botnet and redirect them into a sinkhole.
- Microsoft said it partnered with several major cybersecurity providers to take down the botnet, including ESET, Palo Alto Networks Unit 42 and Lumen’s Black Lotus Labs.
Dive Insight:
Microsoft said Zloader was originally used for financial theft operations, stealing online IDs, passwords and other information that could be used to take funds from victim accounts. Zloader was also used to disable anti-virus software, making it more difficult for victims to detect the botnet.
The operation itself targeted three specific botnets, each one used for a different version of Zloader malware, according to researchers at ESET.
Each botnet was “operated by independent affiliates who managed and monetized their botnet independently, for example by stealing financial information or deploying ransomware,” Alexis Dorais-Joncas, security intelligence team lead at ESET told Cybersecurity Dive via email.
Microsoft named Denis Malikov, based in Simferopol on the Crimean Peninsula, as one of the people connected with the operation, as part of its legal filing. Microsoft said it has been investigating the operation for months, well before Russia's invasion in Ukraine.
The company said Zloader has a domain generation algorithm embedded in the malware, which allows for the generation of additional domains as backup communication channels. The court order allowed Microsoft to take control of another 319 registered domains, and the company will also block future domain registration attempts.
The operation represents the second disruption of a criminal operation by Microsoft this month. Microsoft last week said it blocked threat activity by Strontium, a state-backed operation from Russia that was launching attacks against U.S. and European government agencies and foreign policy think tanks, to steal information related to the Ukraine invasion.
Microsoft said the Financial Services Information Sharing and Analysis Centers (FS-ISAC) and Health Information Sharing and Analysis Center (H-ISAC) also shared data used in the case. Avast also provided support