Thanks to Dancho Danchev, WhoisXML API’s DNS Threat Researcher for the original investigations available here and led to the creation of this post.

ZeuS malware traces its origin as far back as 2006, when it was used to steal victims’ online banking credentials. In 2011, its source code was leaked on a file-sharing site and quickly spread throughout various underground fora. After that, its code was enhanced by several cybercriminal gangs to display more sinister behaviors like file infection and income generation from pay-per-click (PPC) models.

From 2007 till now, we still see malware like Gozi, Carberp, SpyEye, Shylock, Citadel, Tinba, Kins, Vawtrak, Emotet, Dyre, and Dridex, which were all based on ZeuS used in various campaigns. Most of these are still Trojans or spyware meant to steal victims’ personally identifiable information (PII). They are also available for purchase underground.

We recently collated 17 Jabber ZeuS domains and subjected these to further analysis using various domain and IP intelligence tools to obtain as many artifacts as possible. These could help users avoid the risks the threat poses.

What We Know So Far

The Jabber ZeuS gang have been known to use the following 17 domains in their campaigns:

• spyeye-trojan[.]com
• scanmyvirus[.]com
• cheapohoster[.]com
• handcrart[.]com
• algeriemonamour[.]com
• checkmyvirus[.]com
• dinerolibre[.]net
• dinerolibre[.]us
• universityofsutton[.]com
• isthisavirus[.]net
• opensc[.]biz
• isthisavirus[.]biz
• team-verification[.]com
• 2024700065[.]com
• spyeye[.]biz
• cyrto[.]com
• home-production[.]net

What We Uncovered from This Information

Subjecting the domains above to DNS lookups yielded the following five IP addresses:

• 74[.]208[.]236[.]172
• 151[.]106[.]96[.]114
• 162[.]255[.]119[.]20
• 80[.]76[.]218[.]240
• 95[.]128[.]49[.]240

While none of these are deemed malicious, they may be worth monitoring at least for signs of malicious activity due to their connection with the Jabber ZeuS domains.

According to reverse IP/DNS lookups, the five IP addresses above resolved to at least 940 domains. And some of them are tagged “malicious” pr “suspicious” on VirusTotal. Examples include:

• 4011sagesave[.]info
• asdmonthly[.]com
• noticiasvendermaslibros[.]esy[.]es
• aeyana[.]com
• 34268[.]com
• alexandra-spencer[.]com
• rfh[.]icu

Screenshot lookups of the malicious domains above and the domains in our original list of IoCs showed that:

• Fourteen were unreachable (spyeye-trojan[.]com, scanmyvirus[.]com, cheapohoster[.]com, handcrart[.]com, algeriemonamour[.]com, checkmyvirus[.]com, dinerolibre[.]net, dinerolibre[.]us, isthisavirus[.]net, opensc[.]biz, isthisavirus[.]biz, team-verification[.]com, 2024700065[.]com, and home-production[.]net).
• Three were parked (universityofsutton[.]com, spyeye[.]biz, and asdmonthly[.]com).
• Two led to the same domain name selling site (cyrto[.]com and 34268[.]com).

  

• One led to a real property selling site (4011sagesave[.]info).

  

• One led to a healthcare site (aeyana[.]com).

  

• One led to a consultancy service site (alexandra-spencer[.]com).

  

• One led to a blog (noticiasvendermaslibros[.]esy[.]es).

  

• One led to an error page (rfh[.]icu).

From the screenshots above, we can infer that only nine look to be still operational. The rest could have been taken down already for their alleged ties to the Jabber ZeuS gang.

A bulk WHOIS lookup found records for only five of them (4011sagesave[.]info, rfh[.]icu, cyrto[.]com, 34268[.]com, and alexandra-spencer[.]com). All of their WHOIS records are privacy-protected so their owners couldn’t be identified. But we did determine that none of the five of the still-active domains were newly registered.

Historical WHOIS record lookups on them gave us three registrant organizations, one registrant name, and three contact email addresses. Using these as historical reverse WHOIS search terms provided a list of 10,092 domains that could be tied to the Jabber ZeuS gang. Monitoring these domains at the very least is advisable due to their possible connection to the threat. Some of them could be malicious or suspicious as well.

If you wish to obtain a list of the artifacts we collated from our in-depth analysis of the known Jabber ZeuS domains, please feel free to contact us. We are open to research collaboration, especially given that ZeuS may still be alive and kicking and users need protection from it.