Posted on 04/18/2022 9:44:56 PM PDT by dayglored
That should keep the criminals offline for, well, weeks probably
Embedded links are in the original article.
Microsoft has announced a months-long effort to take control of 65 domains that the ZLoader criminal botnet gang has been using to spread the remote-control malware and orchestrate infected machines.
The tech giant's Digital Crimes Unit obtained a court order from a US federal judge in Georgia to take down the domains, which are now directed to a Microsoft-controlled sinkhole so they can't be used by the malware's masterminds to communicate with their botnet of commandeered Windows computers.
From what we can tell from the filings submitted by Microsoft to the courts, its justification for the seizure is that ZLoader used the domains to injure the Windows giant as well as residents of the US state and commit computer fraud, infringement of Microsoft trademarks, and other illegal activity. The trademark infringement being that at least one of the domains was used for a website that featured Microsoft trademarks in an attempt to masquerade as a legit Redmond site, and also references in phishing emails to Microsoft-trademarked programs, such as Excel.
The case documents go into ZLoader's operations and design in quite some detail, if that's of interest or use to you.
In addition to the 65 hardcoded domains, the court order also allowed Microsoft to take control of an additional 319 registered domains that the botnet uses as a backup communication channel. These non-hardcoded domains are generated by an algorithm, and Microsoft said it's working to block future registration of these code-defined domains.
Its investigation also tied the ZLoader botnet allegedly to Denis Malikov, who lives in Simferopol on the Crimean Peninsula, which was annexed by Russia from Ukraine in 2014. According to Microsoft, he is one of the creators of a component that the botnet uses to distribute ransomware, and is identified in the aforementioned court paperwork.
"We chose to name an individual in connection with this case to make clear that cybercriminals will not be allowed to hide behind the anonymity of the internet to commit their crimes," wrote Amy Hogan-Burney, general manager of Microsoft's Digital Crimes Unit.
From banking trojan to ransomware
ZLoader is a variant of the Zeus banking trojan that has been around for at least 15 years. While its earlier use was primarily to steal account login IDs and passwords for financial theft, it has evolved over the years and added new capabilities.
These include defense, like disabling security and antivirus tools to evade detection, and offensive capabilities such as "capturing screenshots, collecting cookies, stealing credentials and banking data, performing reconnaissance, launching persistence mechanisms, misusing legitimate security tools, and providing remote access to attackers," according to the Microsoft's 365 Defender Threat Intelligence Team.
Microsoft was keen to stress this was a cooperative effort, with security shops ESET, Lumen's threat-intel arm Black Lotus Labs, Palo Alto Networks' Unit 42's team and Avast Threat Labs helping out. It also thanked the Financial Services Information Sharing and Analysis Centers (FS-ISAC) and the Health Information Sharing and Analysis Center (H-ISAC) for "additional data and insights."
While the newly announced operation will have severely inconvenienced the botnet's operators, based on past experience they'll be back. In October 2020 Microsoft launched a similar operation against the Trickbot network, but it was back up and running within two weeks, the US Cybersecurity and Infrastructure Security Agency warned in an advisory. ZLoader is likely to be revived soon as well, since it has proven very popular so far and there's a lot of money to be made.
ZLoader is also sold on underground forums along with other types of commodity malware. "When purchased, affiliates are given all they need to set up their own servers with administration panels and to start building their bots," security firm ESET explained. "Affiliates are then responsible for bot distribution and maintaining their botnets."
More recently, the malware has been linked to ransomware gangs Ryuk, DarkSide and BlackMatter. ZLoader has also moved away from using email as an initial vector and instead turned toward ads on search engines that trick users into visiting malicious websites, the Microsoft Defender team added.
These campaigns look like a legitimate company or product such as Java, TeamViewer, Zoom, and Discord. "For the delivery stage of the attack, the actors would purchase Google Ads for key terms associated with those products, such as 'zoom videoconference,' the threat intel group explained.
Of course, clicking on these phony ads then directs users to a malicious domain, which allows the botnets to infect the device and start using it to communicate with ZLoader servers. ®
The good news may only last week - at best.
I use Windows and the Microsoft Edge Browser.
A week ago, my Microsoft Bing Maps home page suddenly changed from my home town - Seattle - to Cambridge, MA, home of Harvard and MIT.
No matter what I do on various settings pages, it either will not change from Cambridge to Seattle, or else it goes to Seattle for one or two clicks, then reverts to Cambridge again.
I do not even want to think about how many teenage hackers are currently living in Cambridge, MA.
Is your VPN dumping you here?
However, I would very much like to know why Bing Maps thinks my computer is hooked into a Cambridge, MA network.
I noticed that behavior with one Win-10 PC I use. I set up the default weather program and Microsoft cheerfully invited me to turn on location services. I declined and manually set my location.
About three weeks go by uneventfully and then it starts showing weather for another state. I put it back and it has been behaving itself.
Now if I could just fix the bluescreens that machine has suddenly developed!
Rather than sending the requests off to /dev/null, wouldn't it be at least somewhat helpful if microsloth would attempt to contact owners of computers that are making calls to these botnets to let them know they are powned?
.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.