cyber_threat_intelligence/Zbot

Zbot - Cyber Threat Intelligence

The indicators are related to VulDB CTI analysis of the actor known as Zbot. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.

Live data and more analysis capabilities are available at https://vuldb.com/?actor.zbot

Countries

These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Zbot:

• US
• ES
• RU
• ...

There are 16 more country items available. Please use our online service to access the data.

IOC - Indicator of Compromise

These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Zbot.

ID	IP address	Hostname	Confidence
1	3.223.115.185	ec2-3-223-115-185.compute-1.amazonaws.com	Medium
2	12.96.218.170	-	High
3	13.32.204.55	server-13-32-204-55.iad66.r.cloudfront.net	High
4	18.207.9.28	ec2-18-207-9-28.compute-1.amazonaws.com	Medium
5	23.56.9.181	a23-56-9-181.deploy.static.akamaitechnologies.com	High
6	23.96.30.229	-	High
7	23.193.42.12	a23-193-42-12.deploy.static.akamaitechnologies.com	High
8	23.227.38.32	myshopify.com	High
9	24.115.94.180	24.115.94.180.res-cmts.ovr.ptd.net	High
10	24.120.165.58	wsip-24-120-165-58.lv.lv.cox.net	High
11	27.54.110.77	77.110.54.27.dhcp.mct.ne.jp	High
12	32.178.143.61	mobile-32-178-143-61.mycingular.net	High
13	34.72.197.182	182.197.72.34.bc.googleusercontent.com	Medium
14	35.177.71.77	ns1.symbiant.net	High
15	36.2.242.186	36-2-242-186.aichi.otk.vectant.ne.jp	High
16	39.116.90.10	-	High
17	41.168.5.140	-	High
18	45.60.77.201	-	High
19	49.212.235.209	www3469.sakura.ne.jp	High
20	50.72.177.24	S01069050ca30b943.wp.shawcable.net	High
21	50.116.43.143	50-116-43-143.ip.linodeusercontent.com	High
22	51.178.156.9	ip9.ip-51-178-156.eu	High
23	52.85.132.44	server-52-85-132-44.iad50.r.cloudfront.net	High
24	52.137.90.34	-	High
25	52.185.71.28	-	High
26	58.1.158.10	ntaich204010.aich.nt.ngn.ppp.infoweb.ne.jp	High
27	58.68.2.214	-	High
28	58.185.131.158	-	High
29	59.90.221.6	static.bb.hyd.59.90.221.6.bsnl.in	High
30	60.244.81.6	60-244-81-6.apol.com.tw	High
31	61.7.235.35	-	High
32	61.32.242.131	-	High
33	62.49.180.189	-	High
34	64.219.121.189	-	High
35	65.55.50.189	-	High
36	66.34.208.39	-	High
37	66.117.77.134	66-117-77-134.gohighspeed.com	High
38	66.151.138.85	c-66-151-138-85.inap-sj.nfoservers.com	High
39	66.214.95.108	066-214-095-108.res.spectrum.com	High
40	68.13.34.171	ip68-13-34-171.om.om.cox.net	High
41	69.39.74.6	mail.marrsterry.com	High
42	...	...	...

There are 165 more IOC items available. Please use our online service to access the data.

TTP - Tactics, Techniques, Procedures

Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by Zbot. This data is unique as it uses our predictive model for actor profiling.

ID	Technique	Description	Confidence
1	T1059.007	Cross Site Scripting	High
2	T1068	Execution with Unnecessary Privileges	High
3	T1110.001	Improper Restriction of Excessive Authentication Attempts	High
4	...	...	...

There are 7 more TTP items available. Please use our online service to access the data.

IOA - Indicator of Attack

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Zbot. This data is unique as it uses our predictive model for actor profiling.

ID	Type	Indicator	Confidence
1	File	/?ajax-request=jnews	High
2	File	/admin/admin.php	High
3	File	/admin/imageslider/file.php	High
4	File	/cgi-bin/luci	High
5	File	/core/vb/vurl.php	High
6	File	/etc/ldap.conf	High
7	File	/importTool/preview	High
8	File	/mods/_core/courses/users/create_course.php	High
9	File	/phppath/php	Medium
10	File	/plugins/Dashboard/Controller.php	High
11	File	/server-status	High
12	File	/uncpath/	Medium
13	File	adclick.php	Medium
14	File	add_comment.php	High
15	File	admin-ajax.php	High
16	File	admin.php	Medium
17	File	admin/class-bulk-editor-list-table.php	High
18	File	ajax/render/widget_php	High
19	...	...	...

There are 153 more IOA items available. Please use our online service to access the data.

References

The following list contains external sources which discuss the actor and the associated activities:

• https://blog.talosintelligence.com/2021/02/threat-roundup-0129-0205.html
• https://blog.talosintelligence.com/2021/02/threat-roundup-0205-0212.html
• https://blog.talosintelligence.com/2021/02/threat-roundup-0212-0219.html
• https://blog.talosintelligence.com/2021/03/threat-roundup-0226-0305.html
• https://blog.talosintelligence.com/2021/05/threat-roundup-0507-0514.html
• https://blog.talosintelligence.com/2021/05/threat-roundup-0514-0521.html
• https://blog.talosintelligence.com/2021/05/threat-roundup-0521-0528.html
• https://blog.talosintelligence.com/2021/06/threat-roundup-0528-0604.html
• https://blog.talosintelligence.com/2021/06/threat-roundup-0604-0611.html
• https://blog.talosintelligence.com/2021/06/threat-roundup-0617-0624.html
• https://blog.talosintelligence.com/2021/07/threat-roundup-0625-0702.html
• https://blog.talosintelligence.com/2021/07/threat-roundup-0702-0709.html
• https://blog.talosintelligence.com/2021/07/threat-roundup-for-july-9-to-july-16.html
• https://blog.talosintelligence.com/2021/10/threat-roundup-1008-1015.html
• https://blog.talosintelligence.com/2021/10/threat-roundup-1015-1022.html
• https://blog.talosintelligence.com/2021/12/threat-roundup-1126-1203.html

Literature

The following articles explain our unique predictive cyber threat intelligence:

• VulDB Cyber Threat Intelligence Documentation
• Cyber Threat Intelligence - Early Anticipation of Attacks

License

(c) 1997-2022 by vuldb.com. All data on this page is shared under the license CC BY-NC-SA 4.0. Questions? Check the FAQ, read the documentation or contact us!