Amazon (AWS) zagent is it a malware / remote? [closed]

i ran netstat command and found some amazon tcp connections that i don't know

zagent1644.h-cdn.com
142.44.212.29
zagent1642.h-cdn.com
145.239.8.193
zagent859.h-cdn.com
217.182.138.56
zagent1678.h-cdn.com
54.37.85.231

could they be a like an api that sends commands from a RAT to the spyware inside my computer ? do you have any idea about them ?

3

1 Answer

None of this makes any sense. Let's start from the beginning.

Whois h-cdn.com?

$ whois h-cdn.com Domain Name: H-CDN.COM Registry Domain ID: 1941013588_DOMAIN_COM-VRSN Registrar WHOIS Server: whois.godaddy.com Registrar URL: Updated Date: 2017-05-11T05:47:51Z Creation Date: 2015-06-22T13:21:45Z Registry Expiry Date: 2019-06-22T13:21:45Z Registrar: GoDaddy.com, LLC Registrar IANA ID: 146 Registrar Abuse Contact Email: Registrar Abuse Contact Phone: 480-624-2505 Domain Status: clientDeleteProhibited Domain Status: clientRenewProhibited Domain Status: clientTransferProhibited Domain Status: clientUpdateProhibited Name Server: NS-1336.AWSDNS-39.ORG Name Server: NS-1696.AWSDNS-20.CO.UK Name Server: NS-421.AWSDNS-52.COM Name Server: NS-608.AWSDNS-12.NET

It looks like this domain is served from Amazon nameservers, but there is no indication Amazon is the registrant. The fact that GoDaddy is the registrar is suspicious; they ask no questions about customer identity and are terrible about responding to abuse complaints so they're popular among fraudsters and malware authors.

All four of those IPs listed are assigned to OVH, similar to Amazon, but different in that they do not seem to have any legitimate business these days beyond providing infrastructure for botnets, crawlers/scrapers, ad networks and other shadiness. So there's that as well.

What else I've seen of h-cdn is a lot of TCP traffic bound for subdomains of h-cdn.com on port 443 with dst IPs assigned to Leaseweb, another internet paragon of integrity and virtue.

Our firewall shoots down all this traffic on sight so I don't have any metrics. Amazon has nothing to do with this, and none of the rest of the infrastructure involved here has a clean history but there is no evidence we're looking at malware or RATs; given the context in which I see similar traffic surrounding these events my guess is we're dealing with an ad network using websockets to keep connections open (to spy/"perform behavioral analytics" on users), hence why you're seeing it in netstat.

You Might Also Like