Microsoft Helps Disrupt Ransomware-Delivering 'ZLoader' Botnets

pcmag.com:

Microsoft has helped disable three botnets that’ve been stealing information and spreading ransomware to companies across the globe. 

The botnets involve a Windows-based malware family known as ZLoader, which can hijack PCs. On Wednesday, Microsoft said it secured a US court order to take over 65 internet domains the botnets have been using to communicate with computers infected with ZLoader. 

“The domains are now directed to a Microsoft sinkhole where they can no longer be used by the botnet’s criminal operators,” the company said. In addition, Microsoft’s court order allows the company to take control of another 319 domains the botnet has been programmed to use as a fallback mechanism. 

The ZLoader malware initially emerged in 2019 as a banking Trojan to which cybercriminals could buy access. According to Microsoft, it can spread through email phishing campaigns loaded with malicious attachments. In other cases, it arrives through Google Ads for fake products, such as Zoom video-conferencing software. 

If ZLoader successfully infects, the malware can grab screenshots, lift passwords, and monitor keystrokes on the PC. At the same time, the resulting infections can give hackers control over the computer, paving the way for a botnet, or an army of enslaved machines.  

To make money off the botnets, the hackers have been selling access to the infected machines. In turn, ZLoader has been programmed to load other malicious payloads, including ransomware packages such as Ryuk, DarkSide, and BlackMatter. The other problem is that ZLoader has been detected in numerous computers in the US, China, western Europe, and Japan. 

In response, Microsoft said it worked with security providers ESET, Palo Alto Networks, and Black Lotus