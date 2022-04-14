Following months of investigation, Microsoft's Digital Crimes Unit (DCU) has taken legal and technical action to disrupt ZLoader, a criminal botnet run by a global internet-based organized crime gang operating malware as a service to steal and extort money, the company said on Thursday.

The investigation was led by DCU in partnership with ESET, Black Lotus Labs (the threat intelligence arm of Lumen), and Palo Alto Networks Unit 42 and others.

Microsoft said that it has obtained a court order that allows the company to take control of 65 domains that the ZLoader gang was using to grow, control and communicate with its botnet. In addition, Microsoft has taken control of an additional 319 already registered domains generated by the domain generation algorithm (DGA). The botnet operators used this technique to generate 32 different domains per day, per botnet.

The team is also working to block the future registration of DGA domains.

"Our disruption is intended to disable ZLoader's infrastructure and make it more difficult for this organized criminal gang to continue their activities. We expect the defendants to make efforts to revive Zloader's operations. As always, we're ready to take additional legal and technical action to address Zloader and other botnets," Amy Hogan-Burney, General Manager, Digital Crimes Unit, wrote in a blog post.

ZLoader started life as a banking trojan, stealing account login IDs, passwords and other information to take money from people's accounts. Over time the Zloader gang began offering malware as a service, a delivery platform to distribute ransomware including Ryuk, well-known ransomware targeting health care institutions to extort payment without regard to the patients that they put at risk.