ngCERT SECURITY ADVISORY ON AVALANCHE BOTNET INFRSTARUCTURE

Advisory ID:   ngCERT-2025-080006

SUMMARY

The Avalanche botnet infrastructure has been identified as one of the largest global network hosting infrastructures, utilized by cyber criminals to perform phishing and malware campaigns, as well as money mule scams. Successful malware infections have resulted in theft of sensitive data, ransomware attacks, deployment of banking trojans and execution of distributed denial-of-service (DDoS) attacks through compromised systems. Although the Avalanche botnet was taken down by foreign law enforcement agencies in 2016, recent investigations revealed traces of the malware infections impacting some systems and IP addresses within Nigeria. Consequently, individuals and organizations are advised to emplace safeguards to mitigate the risks associated with the Avalanche botnet infrastructure and other malware threats..Probability:    High

Damage:      Critical

Probability:  High 

Platform(s):  Windows, web browsers, and email platforms

DESCRIPTION

The Avalanche botnet is capable of providing botnet operators with an extra layer of protection against take-down and domain blocking, enabling malware hosting and distribution services, supporting numerous phishing operations, and the deployment of DoS attacks, including various money laundering schemes. The network makes use of DNS techniques to hide cybercrimes behind the ever-changing network of compromised hosts (systems) acting as proxies. Threat actors deploy spam emails pretending to be trustworthy organisations, which serve as a click-bait for victims to install malicious software attached to the emails. Thereafter, the malware steals personal information, such as passwords and credit card detailsever-changing, granting cybercriminals remote access to an infected computer.

CONSEQUENCES

A successful malware installation and attack process could result in:

1. System compromise.
2. Unauthorised access to sensitive data.
3. Theft of user credentials and other sensitive data.
4. Ransomware attacks.
5. System takeover.
6. Financial loss.
7. DDoS attacks.

SOLUTION/MITIGATION

The following are recommended:

1. Avoid downloading or opening attachments in emails received from unknown sources or unexpectedly from trustworthy users.
2. Ensure that the assets/systems’ operating system, software, antivirus, and plugins are updated.
3. Block all harmful external IP addresses on your network.
4. Activate built-in security features on endpoint devices which scan malware applications.
5. Implement stronger security measures, including firewalls, intrusion detection/prevention systems, anti-phishing solutions, endpoint detection and response solutions, including anti-malware software.
6. Enforce a strong password policy and implement regular password changes.
7. Disable unnecessary services and open ports on endpoint devices and servers within your agency. Only enable services and open ports that are essential for day-to-day operations.

HYPERLINK

• https://www.cisa.gov/news-events/alerts/2016/12/01/avalanche-crimeware-service-infrastructure 
• https://www.bsi.bund.de/EN/Themen/Verbraucherinnen-und-Verbraucher/Cyber-Sicherheitslage/Methoden-der-Cyber-Kriminalitaet/Botnetze/Botnetz-Avalanche/botnet-avalanche_node.html
• https://www.dataleaklawyers.co.uk/blog/avalanche-largest-cybercriminal-phishing-network-dismantled