By: ThreatLabz

Zeus C&C (Avalanche)

Malware

Recent Zeus C&C activity has been observed from: mnbvicdij4uhdjb5421knnkd.com
At the time of posting, the domain is not present in ZeusTracker.

The domain is currently fluxing (Fast-Flux), notice short TTLs and numerous A records across a number of netblocks (in this case, bots):

Zeus Configuration URLs:
hxxp://mnbvicdij4uhdjb5421knnkd.com/bin/oraha.bin
hxxp://mnbvicdij4uhdjb5421knnkd.com/bin/orahxa.bin
hxxp://mnbvicdij4uhdjb5421knnkd.com/xman/xman.bin

oraha.bin = dfd46f8fdf3084984f57580fbe4f40b9
orahxa.bin = dfd46f8fdf3084984f57580fbe4f40b9
xman.bin = f27cb8327406f999fbd60d39d6ad81ea

Zeus Drop Zones:
hxxp://mnbvicdij4uhdjb5421knnkd.com/xman/gogo.php
hxxp://mnbvicdij4uhdjb5421knnkd.com/cp01/zen.php

Domain Registration Information:
Registrant Contact:
The name server domain (dimplemolar.net) has been observed providing name services for other past Zeus domains:
haijeihefoobeekahkohweto.com
eethahchaehiexahgeemaugh.com
ziosuovareipheighaisheek.com

Registration for the nameserver domain:

Dancho blogs related to carruawau registration information:

IRS/PhotoArchive Themed Zeus:
ns1.hourscanine.com - 87.117.245.9

Keeping Money Mule Recruiters on a Short Leash:
ns1.dimplemolar.net - 207.126.161.29

Investigating some of the IPs involved in the fluxing show that they are part of a Zeus botnet.
For example, DNSBL.abuse.ch shows that 98.214.150.140 resolving the domain kldmten.net which at present has had 547 bot IPs observed supporting this domain.


The botnet infrastructure supporting the fast-flux hosting and name resolution for these Zeus and money mule recruiting campaigns is related to the Avalanche botnet which has been discussed on the PhishLabs blog.

Learn more about Zscaler.