has smashed the infrastructure of the ZLoader botnet in cooperation with law enforcement officers. ZLoader malware has infected thousands of companies mostly in US, Canada and India and is known to spread Conti ransomware.
A court order from a US District Court in the state of Georgia allowed the company to seize 65 domains that the ZLoader gang had used to control their botnet. These domains now redirect to a Microsoft sinkhole that is beyond the control of the ZLoader gang.
Microsoft also gained control of the domains that ZLoader uses for its domain generation algorithm (DGA), which is used to automatically create new domains for the botnet’s command machines.
“Zloader includes a domain generation algorithm (DGA) embedded in the malware that creates additional domains as a fallback or backup communication channel for the botnet. In addition to the hard-coded domains, the court order allows us to take control of an additional 319 currently registered DGA domains. We are also working to block future registrations of DGA domains,” said Amy Hogan-Burney, general manager of Microsoft’s Digital Crimes Unit (DCU).
Microsoft led the action against ZLoader in collaboration with researchers from ESET, Lumen’s Black Lotus Labs, and Palo Alto Networks Unit 42. Avast also supported Microsoft’s European investigation into DCU. According to ESET, ZLoader had about 14,000 unique samples and more than 1300 unique command servers. Microsoft also works with Internet Service Providers to identify and fix infections on infected systems.