Zenith Live 2019 Keynotes Watch Now
Zenith Live 2019 Keynotes Watch Now
Blogs > Security Research

Zeus C&C (Avalanche)


By: ThreatLabz


Zeus C&C (Avalanche)

Recent Zeus C&C activity has been observed from: mnbvicdij4uhdjb5421knnkd.com
At the time of posting, the domain is not present in ZeusTracker.

The domain is currently fluxing (Fast-Flux), notice short TTLs and numerous A records across a number of netblocks (in this case, bots):

Zeus Configuration URLs:

oraha.bin = dfd46f8fdf3084984f57580fbe4f40b9
orahxa.bin = dfd46f8fdf3084984f57580fbe4f40b9
xman.bin = f27cb8327406f999fbd60d39d6ad81ea

Zeus Drop Zones:

Domain Registration Information:
Registrant Contact:
The name server domain (dimplemolar.net) has been observed providing name services for other past Zeus domains:

Registration for the nameserver domain:

Dancho blogs related to carruawau registration information:

IRS/PhotoArchive Themed Zeus:
ns1.hourscanine.com -

Keeping Money Mule Recruiters on a Short Leash:
ns1.dimplemolar.net -

Investigating some of the IPs involved in the fluxing show that they are part of a Zeus botnet.
For example, DNSBL.abuse.ch shows that resolving the domain kldmten.net which at present has had 547 bot IPs observed supporting this domain.

The botnet infrastructure supporting the fast-flux hosting and name resolution for these Zeus and money mule recruiting campaigns is related to the Avalanche botnet which has been discussed on the PhishLabs blog.

Suggested Blogs