ZeuS, Still Alive and Kicking in the Form of Jabber ZeuS?

This article has been indexed from CircleID: Cybercrime

Thanks to Dancho Danchev, WhoisXML API’s DNS Threat Researcher for the original investigations available here and led to the creation of this post.

ZeuS malware traces its origin as far back as 2006, when it was used to steal victims’ online banking credentials. In 2011, its source code was leaked on a file-sharing site and quickly spread throughout various underground fora. After that, its code was enhanced by several cybercriminal gangs to display more sinister behaviors like file infection and income generation from pay-per-click (PPC) models.

From 2007 till now, we still see malware like Gozi, Carberp, SpyEye, Shylock, Citadel, Tinba, Kins, Vawtrak, Emotet, Dyre, and Dridex, which were all based on ZeuS used in various campaigns. Most of these are still Trojans or spyware meant to steal victims’ personally identifiable information (PII). They are also available for purchase underground.

We recently collated 17 Jabber ZeuS domains and subjected these to further analysis using various domain and IP intelligence tools to obtain as many artifacts as possible. These could help users avoid the risks the threat poses.

What We Know So Far

The Jabber ZeuS gang have been known to use the following 17 domains in their campaigns:

  • spyeye-trojan[.]com
  • scanmyvirus[.]com
  • cheapohoster[.]com
  • handcrart[.]com
  • algeriemonamour[.]com
  • checkmyvirus[.]com
  • dinerolibre[.]net
  • dinerolibre[.]us
  • universityofsutton[.]com
  • isthisavirus[.]net
  • opensc[.]biz
  • isthisavirus[.]biz
  • team-verification[.]com
  • 2024700065[.]com
  • spyeye[.]biz
  • cyrto[.]com
  • home-production[.]net

What We Uncovered from This Information

Subjecting the domains above to DNS lookups yielded the following five IP addresses:

  • 74[.]208[.]236[.]172
  • 151[.]106[.]96[.]114
  • 162[.]255[.]119[.]20
  • 80[.]76[.]218[.]240
  • 95[.]128[.]49[.]240

While none of these are deemed malicious, they may be worth monitoring at least for signs of malicious activity due to their connection with the

[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.

Read the original article: ZeuS, Still Alive and Kicking in the Form of Jabber ZeuS?