Remember ZeuS? The infamous crimeware-in-the-middle exploitation kit? In this post I'll provide historical OSINT on various ZeuS-themed malicious and fraudulent campaigns intercepted throughout 2008 and provide actionable intelligence on the infrastructure behind the campaign.
Related malicious domains known to have participated in the campaign:
hxxp://myxaxa.com/z/cfg.bin
hxxp://dokymentu.info/zeus/cfg.bin
hxxp://online-traffeng.com/zeus/cfg.bin
hxxp://malwaremodel.biz/zeus/cfg.bin
hxxp://giftcardsbox.com/web/cfg.bin
hxxp://d0rnk.com/cfg.bin
hxxp://rfs-group.net/cool/cfg.bin
hxxp://62.176.16.19/11/cfg.bin
hxxp://81.95.149.74/demo/cfg.bin
hxxp://66.235.175.5/.cs/cfg.bin
hxxp://208.72.169.152/web/cfg.bin
hxxp://antispyware-protection.com/web/cfg.bin
hxxp://s0s1.net/web/cfg.bin
hxxp://208.72.169.151/admin/cfg.bin
hxxp://1ntr0.com/zuzu/cfg.bin
hxxp://88.255.90.170/bt/fiz/cfg.bin
hxxp://58.65.235.4/web/conf/cfg.bin
hxxp://forgoogleonly.cn/open/cfg.bin
hxxp://194.1.152.172/11/cfg.bin
We'll continue monitoring the campaign and post updates as soon as new developments take place.
Saturday, October 20, 2018
Historical OSINT - Calling Zeus Home
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com