Citadel (Zeus clone)

Forum for analysis and discussion about malware.

Re: Citadel (Zeus clone)

Postby Xylitol » Tue Mar 11, 2014 5:28 pm

I don't have the raw decode since i've not decoded it.
edit: i asked a little birdy, it's attached.

I've found these domains in relation:
raphclickable.com/foh/file.php
onepagegrinsd.com/foh/file.php
unstandardclo.net/foh/file.php
measuredtrick.com/foh/file.php
opportunitiess.su/foh/file.php
upanddownrein.com/foh/file.php
Possibly also in relation:
omituniversit.com/adu/file.php
zopapublishedn.su/adu/file.php
eagencygraphp.net/adu/file.php
demandmeticul.net/adu/file.php
dollarsremons.com/adu/file.php
onestopinstru.net/adu/file.php
--
http://www.spamhaus.org/sbl/query/SBL193024
ewsoulelysejh.com/wel/file.php

And malwr seem to know a dropper: https://malwr.com/analysis/OTNkZTMyMTVm ... MxYzM0YWI/
behavioral analysis is interesting: 86734234434.exe -> fnmod_32.exe i've already see this user_execute on ZeusVM (36CE0A33.zip unpacked payload)
S21 guys observed an involution of the 3.1.0.0, maybe because actors switched on ZeusVM :?:
one ZeusVM use the same ASN of a Citadel 3.1.0.0: http://www.urlquery.net/report.php?id=7654694 and guess what, it's the one who download fnmod_32.exe

Some others 3.1.0.0 in attachement.
https://www.virustotal.com/en/file/3202 ... 394564044/
https://www.virustotal.com/en/file/b71b ... 394564049/
https://www.virustotal.com/en/file/f45b ... 394564053/
You do not have the required permissions to view the files attached to this post.
User avatar
Xylitol
Global Moderator
 
Posts: 1613
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Reputation point: 476

Re: Citadel (Zeus clone)

Postby comak » Wed Mar 12, 2014 1:09 pm

thanks,

full decoded cfg attached, with patterns to webinjects and what else ;]
You do not have the required permissions to view the files attached to this post.
comak
 
Posts: 43
Joined: Mon Oct 14, 2013 8:25 am
Reputation point: 31

Re: Citadel (Zeus clone)

Postby Xylitol » Wed Mar 12, 2014 2:38 pm

Hey, thanks comak :)
In attachement a Citadel 1.2.0.0 and a 3.1.0.0 sample, i got these from S21sec (thanks guys)
You do not have the required permissions to view the files attached to this post.
User avatar
Xylitol
Global Moderator
 
Posts: 1613
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Reputation point: 476

Re: Citadel (Zeus clone)

Postby g0r_ » Thu Mar 13, 2014 1:45 am

Apart from dumping memory and using a hex editor, is there an easy way to decrypt these configs? Are there any (semi) public tools that can be used if you have the config keys for a sample?
With the volume of samples we're seeing, it's becoming hard to keep up. I'd like to be able to use something maybe python based to decrypt the config to save time instead of spinning up VM's and checking memory, etc. Any help/pointers appreciated.
g0r_
 
Posts: 7
Joined: Fri Apr 12, 2013 1:35 am
Reputation point: 0

Re: Citadel (Zeus clone)

Postby reverser » Tue Apr 01, 2014 10:36 pm

g0r_ wrote:Apart from dumping memory and using a hex editor, is there an easy way to decrypt these configs? Are there any (semi) public tools that can be used if you have the config keys for a sample?
With the volume of samples we're seeing, it's becoming hard to keep up. I'd like to be able to use something maybe python based to decrypt the config to save time instead of spinning up VM's and checking memory, etc. Any help/pointers appreciated.

Try contacting JPCERT/CC, it seems they have a tool: http://blog.jpcert.or.jp/2014/03/jpcert ... -ac8c.html
reverser
 
Posts: 22
Joined: Wed Jul 27, 2011 12:22 am
Reputation point: 19

Re: Citadel (Zeus clone)

Postby rkhunter » Mon Apr 28, 2014 1:20 pm

User avatar
rkhunter
 
Posts: 1136
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Reputation point: 147

Re: Citadel (Zeus clone)

Postby Xylitol » Thu May 15, 2014 10:04 am

Slight panel modification integrating secpassword stored in SQL db instead of PHP like in Zeus Evolution, otherwise sample is a 1.3.5.1 bot not interesting. (generic wells fargo config)
Image Image Image
Syntax: [ Download ] [ Hide ]
Using sql Syntax Highlighting
INSERT INTO `cp_users` (`id`, `name`, `pass`, `secpass`, `language`, `flag_enabled`, `comment`, `ss_format`, `ss_quality`, `r_edit_bots`, `r_stats_main`, `r_stats_main_reset`, `r_stats_os`, `r_botnet_bots`, `r_botnet_webinjects_admin`, `r_botnet_webinjects_coder`, `r_botnet_scripts`, `r_botnet_scripts_edit`, `r_reports_db`, `r_reports_db_edit`, `r_reports_files`, `r_reports_files_edit`, `r_reports_jn`, `r_reports_db_cmd`, `r_svc_notes`, `r_svc_crypter_crypt`, `r_svc_crypter_pay`, `r_system_info`, `r_system_options`, `r_system_user`, `r_system_users`) VALUES
(1, 'admin', '472a84ce7f8d3ee6b25253204092e262', '472a84ce7f8d3ee6b25253204092e262', 'en', 1, 'Default user', 'jpeg', 30, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1);
 

Code: Select all
{
    "_id" : ObjectId("53748884a47c204d73f1c32b"),
    "zbotscan" : {
        "zbotscan" : {
            "data" : {
                "injected_process" : {
                    "xor_key" : "0",
                    "executable" : "Ybhoy\\ynfy.exe",
                    "comm_rc4_key_plaintext" : "2ace2cb9dfca415a89b669211257fbaf7f94388de1610fdd82fc04b4e5dd739a1690f02b424ada544cc937754868d066bd1191e07c4ba6db56856e911a3cf8040027584fa50725281cafe695d46cad8a21ac72b5fe4e0c6c440f66052c5a10e8c0253fec783ba2c06f2397fb6b7639e2b5ba816760c68dfc17a1b83cef1b57abcf756a883336ed7f139c5351d5e407f714f2d445f6fdfdc9a27ee1563ea800cf7b10ac69d3392a97311530dc63e2a8309f71d176921ea50ba741c04151a69bbb193288d320e9cdcd0a53869b2d8163b3c249b4081df7058601bf84390e3471d8708d20efbb405fc36de89efd46457a01f4eb56a0ccc5559cb88a95eec4d0bc5e",
                    "aes_key" : "63E7D8908429A95CD2542F26A99E7E78",
                    "config_rc4_keystream_plaintext" : "c78bb50e2c64713af82487dd354983231229e0ef79baf6473214721d5a68e44a5907db4e46d274bb6b09fb0f94627fd8e3b7cbf684ee5b419f63d1602fb81b27034ee9c09da5a51905765868741fa4beb0c0aadee02a0ceb8fa762c84067a2e660cd09751a95ac356ee1cf94f6e5065fea912ad1013e8ff7f0caea51e6c9bf85b387f2b6a1ae7954902050118ad01728bd54ae328c9655cd976c14fe10a3751b728632ff71ad1e840656d04d00c3df82f7c892ce2bc2faed0a3b37b4c47f33040bced66347704a17f965a08afb13a3e95fa0fd209c36866b4dddd39a413477d6437e217a2e2d314c9e575d9b3c6d3b255c9bddb38193005728184cb8efafc9dc",
                    "malware_zbot" : "CITADEL",
                    "process_name" : "explorer.exe",
                    "mutant_key" : "1835366737",
                    "computer_identifier" : "COMPUTER_1_7875768F1E829C61",
                    "aes_xor_key" : "FCA4C13246F5C8ABD0C5CFDC7350AB42",
                    "process_id" : 1500,
                    "process_address" : "34865152",
                    "login_key" : "C1F20D2340B519056A7D89B7DF4B0FFF",
                    "urls" : [
                        "http://54.208.246.4/webalizer/opt/ningga.php|file=config.dll",
                        "http://54.208.246.4/webalizer/opt/ningga.php|file=config.dll"
                    ],
                    "zbot_version" : " 1.3.5.1",
                    "registry" : "{'Value3': 'Kuyfce', 'key_path': 'HKEY_CURRENT_USER\\\\SOFTWARE\\\\Microsoft\\\\Qinuy', 'Value1': 'Ceqou', 'Value2': 'Enukak'}"
                }
            },
            "config" : {}
        }
    }
}

http://vxvault.siri-urz.net/ViriFiche.php?ID=26458
https://zeustracker.abuse.ch/monitor.ph ... .208.246.4
You do not have the required permissions to view the files attached to this post.
User avatar
Xylitol
Global Moderator
 
Posts: 1613
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Reputation point: 476

Re: Citadel (Zeus clone)

Postby Xylitol » Mon Oct 06, 2014 8:33 am

retrieved this old sample on my hdd, Citadel targeting France, sample courtesy of kafeine.
https://zeustracker.abuse.ch/monitor.ph ... kguides.su
https://www.virustotal.com/en/file/e188 ... 412584484/
Code: Select all
#*banquepostale.com/*
#*banquepostale.fr/*
#*caisse-epargne.fr/*
#*bnpparibas.net/*
#*societegenerale.fr/*
#*credit-agricole.fr/
#*lcl.fr/*
#*axabanque.fr/*
#*groupama.fr/*
#*banquepopulaire.fr*

decoded and stuff in attachement as usual.
You do not have the required permissions to view the files attached to this post.
User avatar
Xylitol
Global Moderator
 
Posts: 1613
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Reputation point: 476

Re: Citadel (Zeus clone)

Postby tildedennis » Fri Aug 14, 2015 7:20 pm

last month, i started seeing (new to me) citadel samples with the following details. the configs can be decrypted and parsed like citadel 3.1.0.0, but at this point i don't know what other differences there are (if any).

version: 1.0
bot names: 2015, apple, ATM, DM5, DM6, max, stains, usca
login keys: 258C804A6C32A4EE66E786A111B32901, A9B0A3F1522313D46F7A3D00A5F3C5FE, D8F3A28A92E53179A3EC2100B314A5CB
compilation dates (for what they're worth): 2014-12-18 14:51:49 -> 2015-07-17 19:39:59
couple of config urls:

Code: Select all
hXXp://ablackjob3.ru/max/file.php|file=max.xml
hXXp://adwords-shoping.ru/adwords/file.php|file=td.dll
hXXp://buseneujob2.ru/usca/file.php|file=usca.xml
hXXp://lucoilosa2.ru/usca/file.php|file=usca.xml
hXXps://anormalnoejavlenieprimer.net/bmbmbm/file.php|file=ati.xml


---

version: 1.1
bot names: black3, DM5, mac, root, usca
login keys: 258C804A6C32A4EE66E786A111B32901, D8F3A28A92E53179A3EC2100B314A5CB
compilation dates (for what they're worth): 2015-05-09 19:48:01 -> 2015-07-29 17:25:51
couple of config urls:

Code: Select all
hXXp://genmjob3.ru/black3/file.php|file=black3.xml
hXXp://genmjob3.ru/mac/file.php|file=mac.xml
hXXp://lucoilosa.ru/usca/file.php|file=usca.xml
hXXp://somethinfresh.ru/file.php|file=td.dll

samples and configs for the latest compile times are attached.
You do not have the required permissions to view the files attached to this post.
tildedennis
 
Posts: 26
Joined: Mon Jun 17, 2013 7:57 pm
Reputation point: 15

Re: Citadel (Zeus clone)

Postby Xylitol » Thu Dec 10, 2015 3:20 pm

Signed AutoIt Citadel https://www.virustotal.com/en/file/c294 ... /analysis/
Thanks to siri for the heads up.
Code: Select all
Key: 34 99 69 16 D4 BA 8B 06 D8 B6 EB 8E 72 E1 1B 71
login key: C1F20D2340B519056A7D89B7DF4B0FFF


1.3.5.1 version targeting France, non-exclusive list:
!https://smetrics.sfr.fr*
!https://adsl.free.fr*
!https://extranet.sfrbusinessteam.fr*
#*.societegenerale.fr/*
#*.bnpparibas.net/*
#*cic.fr/*
#*edi05.cedricom.fr/*
#*.credit-agricole.fr/*
#*entreprises.ca-languedoc.fr/*
#*creditmutuel.fr/*
#*labanquepostale.fr/*
#*.lcl.fr/*
#*hsbc.fr/*
#*edibanque.com.fr/*
#*.banquepopulaire.fr/*
#*banque-courtois.fr/*
#*credit-du-nord.fr/*
#*fortuneo.fr/*
#*cmb.fr/*
#*cmmc.fr/*
#*bpe.fr/*
#*cofinoga.fr/*
#*hellobank.fr/*
#*arkeabanqueprivee.fr/*
#*axabanque.fr/*
#*bemix.fr/*
#*banque-accord.fr/*
#*.caisse-epargne.fr/*

There is also a mitb for LBP (la banque postale) but the C2 seem offline...

Edit: https://www.virustotal.com/en/file/5bd4 ... 459494348/
same guy ? http://vxvault.net/ViriFiche.php?ID=29587
http://vxvault.net/ViriFiche.php?ID=29580
And https://virustotal.com/en/file/15e17a41 ... /analysis/ (from agemiel.com/4.exe)

Domains in relation:
https://www.virustotal.com/en/domain/be ... formation/
https://www.virustotal.com/en/domain/ww ... formation/
https://www.virustotal.com/en/domain/kr ... formation/
You do not have the required permissions to view the files attached to this post.
User avatar
Xylitol
Global Moderator
 
Posts: 1613
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Reputation point: 476

PreviousNext

Return to Malware

Who is online

Users browsing this forum: No registered users and 9 guests