There was an announcement in Microsoft’s Digital Crimes Unit (DCU) blog about the undermining ZLoader botnet. It is a network of bots that belongs to the infamous grouping of cybercriminals. This botnet-managed malware-as-a-service (MaaS) model spread ransomware. Microsoft’s DCU even suspects a cyber villain, who is involved in this.
How Did It Start?
Recently the U.S. District Court for the Northern District of Georgia has sent a court decree to the Digital Crimes Unit (DCU) of Microsoft. It stated, that ZLoader managed 65 domains to maintain malicious cyber activity. So, the decree encouraged Microsoft to take care of this situation. Microsoft’s Digital Crimes Unit (DCU) started the investigation before Russia started the war against Ukraine.
There is a domain generation algorithm (DGA) in this botnet’s malicious software. This algorithm lets ZLoader create new domains as a reserve copy. Microsoft sent these 65 domains mentioned in the court decree of the U.S. District Court for the Northern District of Georgia to the sinkhole. Soon the corporation will declare them unserviceable. The district court allowed Microsoft to take over more than 300 other already registered domains. It also encouraged Microsoft’s Digital Crimes Unit (DCU) to work on freezing further registering of ZLoader domains.
What is ZLoader Botnet?
The primary aim of ZLoader launching was to steal financial information, such as users’ login data. That allowed cybercriminals to steal funds unnoticeably. The gang later introduced the malware-as-a-service (MaaS) model and shared demanding ransomware. ZLoader spread harmful software by GoogleAds and attacked Japan, Western Europe, the United States of America, and China in this way. This MaaS platform dealt with Ryuk, DarkSide, BlackMatter, and similar contagions of a ransom nature.
According to the data provided by the U.S. Department of Health and Human Services (HHS), DarkSide attacked Colonial Pipeline and CompuCom in 2021. On the other hand, in 2020 Ryuk was responsible for about 75% of attacks in the healthcare industry. This grouping stood out from the rest with the absence of any moral concepts. The gang made cyberattacks on healthcare organizations regardless of the patients’ security.
Microsoft’s Digital Crimes Unit (DCU) reported that the grouping of cyber villains stands behind the ZLoader launching attacks not only on devices of financial organizations but also at schools, medical institutions, enterprises, as well as personal devices.
How to Detect ZLoader Botnet Attack?
In its blog post, Microsoft also shared information on how to recognize ZLoader attacks and soften their consequences. Under the post, it’s hard to detect it at the initial stages. As various ZLoader campaigns can differ a lot from each other because of their modular-natured capacities and regular modifications in changes.
The first attacks were primitive. The malicious software delivery was performed by harmful Office 365 macros, that were added to electronic letters. After this, these macros were applied for modules deployment for capacity. However, the latest attacks were far more sophisticated. A harmful code entered effective procedures. Then antimalware tools shut down and ransomware in its culminating stage followed.
Who is That Suspected Cybercriminal?
While investigating the case, Microsoft’s Digital Crimes Unit (DCU) identified the individual, that took part in preparations for the ZLoader launching. This is Denis Malikov, the resident of Simferopol on the Crimean Peninsula annexed by Russia in 2014. As Microsoft stated, he developed a component for the ZLoader botnet. The corporation disclosed the name of the cybercriminal to make cyber villains understand, that nobody can’t go behind the anonymousness to do malicious activity on the web.
A month-long investigation resulted in this lawsuit. At the beginning of April, the Microsoft company took responsibility for the cyberattacks breakdown. The cybercriminal that did them is related to Russia and focused on attacking Ukraine, the USA, and the EU.
Check our regular news about the cybersecurity landscape to stay on the top. Forewarned is forearmed.
