Zscaler Announces Intent to Acquire Airgap Networks to extend Zero Trust SASE

Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Subscribe
Security Research

Zeus C&C (Avalanche)

image
THREATLABZ
June 25, 2010 - 2 min read

Recent Zeus C&C activity has been observed from: mnbvicdij4uhdjb5421knnkd.com
At the time of posting, the domain is not present in ZeusTracker.

The domain is currently fluxing (Fast-Flux), notice short TTLs and numerous A records across a number of netblocks (in this case, bots):
Image
Zeus Configuration URLs:
hxxp://mnbvicdij4uhdjb5421knnkd.com/bin/oraha.bin
hxxp://mnbvicdij4uhdjb5421knnkd.com/bin/orahxa.bin
hxxp://mnbvicdij4uhdjb5421knnkd.com/xman/xman.bin

oraha.bin = dfd46f8fdf3084984f57580fbe4f40b9
orahxa.bin = dfd46f8fdf3084984f57580fbe4f40b9
xman.bin = f27cb8327406f999fbd60d39d6ad81ea

Zeus Drop Zones:
hxxp://mnbvicdij4uhdjb5421knnkd.com/xman/gogo.php
hxxp://mnbvicdij4uhdjb5421knnkd.com/cp01/zen.php

Domain Registration Information:
ImageRegistrant Contact:
ImageThe name server domain (dimplemolar.net) has been observed providing name services for other past Zeus domains:
haijeihefoobeekahkohweto.com
eethahchaehiexahgeemaugh.com
ziosuovareipheighaisheek.com

Registration for the nameserver domain:
Image
Dancho blogs related to carruawau registration information:

IRS/PhotoArchive Themed Zeus:
ns1.hourscanine.com - 87.117.245.9

Keeping Money Mule Recruiters on a Short Leash:
ns1.dimplemolar.net - 207.126.161.29

Investigating some of the IPs involved in the fluxing show that they are part of a Zeus botnet.
For example, DNSBL.abuse.ch shows that 98.214.150.140 resolving the domain kldmten.net which at present has had 547 bot IPs observed supporting this domain.

Image
The botnet infrastructure supporting the fast-flux hosting and name resolution for these Zeus and money mule recruiting campaigns is related to the Avalanche botnet which has been discussed on the PhishLabs blog.

form submtited
Thank you for reading

Was this post useful?

dots pattern

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.