Zeus C&C (Avalanche)
Recent Zeus C&C activity has been observed from: mnbvicdij4uhdjb5421knnkd.com
At the time of posting, the domain is not present in ZeusTracker.
The domain is currently fluxing (Fast-Flux), notice short TTLs and numerous A records across a number of netblocks (in this case, bots):
Zeus Configuration URLs:
oraha.bin = dfd46f8fdf3084984f57580fbe4f40b9
orahxa.bin = dfd46f8fdf3084984f57580fbe4f40b9
xman.bin = f27cb8327406f999fbd60d39d6ad81ea
Zeus Drop Zones:
Domain Registration Information:
The name server domain (dimplemolar.net) has been observed providing name services for other past Zeus domains:
Registration for the nameserver domain:
Dancho blogs related to carruawau registration information:
IRS/PhotoArchive Themed Zeus:
ns1.hourscanine.com - 184.108.40.206
Keeping Money Mule Recruiters on a Short Leash:
ns1.dimplemolar.net - 220.127.116.11
Investigating some of the IPs involved in the fluxing show that they are part of a Zeus botnet.
For example, DNSBL.abuse.ch shows that 18.104.22.168 resolving the domain kldmten.net which at present has had 547 bot IPs observed supporting this domain.
The botnet infrastructure supporting the fast-flux hosting and name resolution for these Zeus and money mule recruiting campaigns is related to the Avalanche botnet which has been discussed on the PhishLabs blog.