Citadel (Zeus clone)
Re: Citadel (Zeus clone)
Thanks a lot for this. I'll try to cook up a volatility plugin this week.
- Xylitol
- Global Moderator
- Posts: 1652
- Joined: Sat Apr 10, 2010 5:54 pm
- Location: Seireitei, Soul Society
- Contact:
Re: Citadel (Zeus clone)
Cool, that would be nice to have a vol plugin for this version.
In attachment, Citadel 1.3.5.1 targeting France.
https://www.virustotal.com/en/file/a5b9 ... 460632261/
Also from config:
Process 'ecbl' stand for e-Carte Bleue, a service well promoted in france to generate a unique credit card number with the amount of money you want.
There is different flavors of the executable depending on the bank you are on (ecbl-sg.exe for Société Generale, ecbl-lcl.exe for Le Crédit Lyonnais, etc...)
Obviously the generated credit card is linked to your main banking account, it's a good idea to use this feature but if you get your credentials stolen.... bad guys can generate credit card too
nspr4 changed also to nss3 (lol?)
In attachment, Citadel 1.3.5.1 targeting France.
https://www.virustotal.com/en/file/a5b9 ... 460632261/
Code: Select all
!https://adsl.free.fr*
!https://www.google.fr*
!https://extranet.sfrbusinessteam.fr*
#*crelan-online.be/*
#*.societegenerale.fr/*
#*bnpparibasfortis.be/*
#*.bnpparibas.net/*
#*cic.fr/*
#*edi05.cedricom.fr/*
#*.credit-agricole.fr/*
#*entreprises.ca-languedoc.fr/*
#*creditmutuel.fr/*
#*labanquepostale.fr/*
#*.lcl.fr/*
#*hsbc.fr/*
#*hsbc.com/*
#*hsbc.net/*
#*hsbcnet.com/*
#*hsbcprivatebank.com/*
#*accesd.affaires.desjardins.com/*
#*easywebsoc.td.com/*
#*scotiabank.com/*
#*edibanque.com.fr/*
#*.banquepopulaire.fr/*
#*banque-courtois.fr/*
#*credit-du-nord.fr/*
#*ing.be/*
#*fortuneo.fr/*
#*cmb.fr/*
#*cmmc.fr/*
#*cmso.com/*
#*bpe.fr/*
#*cofinoga.fr/*
#*boursorama.com/*
#*hellobank.fr/*
#*arkea-banque-ei.com/*
#*arkeabanqueprivee.fr/*
#*axabanque.fr/*
#*monabanq.com/*
#*bemix.fr/*
#*banque-accord.fr/*
#*.caisse-epargne.fr/*
#*.paypal./*
https://www.cic.fr/*/*/*/default.cgi
https://www.cic.fr/fr/*
https://*.banquepopulaire.fr*.aspx*
https://*.banquepopulaire.fr*.html*
https://*.banquepopulaire.fr*.do*
http*://*.creditmutuel.fr/*
http*://*.labanquepostale.fr/*releveCPP-releve_ccp.ea*
*uel.fr*situation_financiere*
*c.fr*situation_financiere*
*uel.fr*situation_financiere*
Code: Select all
ecbl-lcl.exe; -lbp.exe; ecbl-cnce.exe; ecbl-sg.exe; ecbl-nxbp.exe; java.exe; jusched.exe; NOTEPAD.EXE
There is different flavors of the executable depending on the bank you are on (ecbl-sg.exe for Société Generale, ecbl-lcl.exe for Le Crédit Lyonnais, etc...)
Obviously the generated credit card is linked to your main banking account, it's a good idea to use this feature but if you get your credentials stolen.... bad guys can generate credit card too

nspr4 changed also to nss3 (lol?)
You do not have the required permissions to view the files attached to this post.
- Xylitol
- Global Moderator
- Posts: 1652
- Joined: Sat Apr 10, 2010 5:54 pm
- Location: Seireitei, Soul Society
- Contact:
Re: Citadel (Zeus clone)
https://zeustracker.abuse.ch/monitor.ph ... -france.fr
Citadel 1.3.5.1 targeting France.
Citadel 1.3.5.1 targeting France.
You do not have the required permissions to view the files attached to this post.
- Xylitol
- Global Moderator
- Posts: 1652
- Joined: Sat Apr 10, 2010 5:54 pm
- Location: Seireitei, Soul Society
- Contact:
Re: Citadel (Zeus clone)
some more
You do not have the required permissions to view the files attached to this post.
- Xylitol
- Global Moderator
- Posts: 1652
- Joined: Sat Apr 10, 2010 5:54 pm
- Location: Seireitei, Soul Society
- Contact:
Re: Citadel (Zeus clone)
Atmos
You do not have the required permissions to view the files attached to this post.
- Xylitol
- Global Moderator
- Posts: 1652
- Joined: Sat Apr 10, 2010 5:54 pm
- Location: Seireitei, Soul Society
- Contact:
Re: Citadel (Zeus clone)
You do not have the required permissions to view the files attached to this post.
- Xylitol
- Global Moderator
- Posts: 1652
- Joined: Sat Apr 10, 2010 5:54 pm
- Location: Seireitei, Soul Society
- Contact:
Re: Citadel (Zeus clone)
MMD-0054-2016 - ATMOS botnet facts you should know ~ http://blog.malwaremustdie.org/2016/06/ ... facts.html
yara rules who should do the tricks for Atmos.
So far, here some samples from the rules:
And also one for Citadel, specifically for 'hexed' samples (when bad guys are to poor to afford product, they manually fix nspr4 to nss3)
This one is a good example: http://www.kernelmode.info/forum/viewto ... 007#p28313
Atmos can grab google chrome v25.0.1349.2 (2012/12/06), till v43.0.2357.134 (2015/07/14) , while citadel don't work after 19.0.1084.52 if i remember correctly.
https://dl.google.com/chrome/win/4ED6DD ... taller.exe - 86731DC801EDB96D804B1BA2BEBD36D5 (chrome 43 installer)
yara rules who should do the tricks for Atmos.
Code: Select all
rule Atmos_Malware : kutuzov_101 Banker Atmos
{
meta:
description = "Generic Spyware.Citadel.Atmos Signature"
author = "xylitol@temari.fr"
reference = "http://www.xylibox.com/2016/02/citadel-0011-atmos.html"
date = "02/08/2016"
// May only the challenge guide you
strings:
// Check for the presence of MZ and kutuzov license identifier
$MZ = {4D 5A}
$LKEY = "533D9226E4C1CE0A9815DBEB19235AE4" wide ascii
// TokenSpy identifiers
$TS1 = "X-TS-Rule-Name: %s" wide ascii
$TS2 = "X-TS-Rule-PatternID: %u" wide ascii
$TS3 = "X-TS-BotID: %s" wide ascii
$TS4 = "X-TS-Domain: %s" wide ascii
$TS5 = "X-TS-SessionID: %s" wide ascii
$TS6 = "X-TS-Header-Cookie: %S" wide ascii
$TS7 = "X-TS-Header-Referer: %S" wide ascii
$TS8 = "X-TS-Header-AcceptEncoding: %S" wide ascii
$TS9 = "X-TS-Header-AcceptLanguage: %S" wide ascii
$TS10 = "X-TS-Header-UserAgent: %S" wide ascii
// Hidden VNC identifiers
$VNC1 = "_hvnc_init@4" wide ascii
$VNC2 = "_hvnc_uninit@0" wide ascii
$VNC3 = "_hvnc_start@8" wide ascii
$VNC4 = "_hvnc_stop@0" wide ascii
$VNC5 = "_hvnc_wait@0" wide ascii
$VNC6 = "_hvnc_work@0" wide ascii
// Browsers identifiers
$WB1 = "nspr4.dll" wide ascii
$WB2 = "nss3.dll" wide ascii
$WB3 = "chrome.dll" wide ascii
$WB4 = "Internet Explorer" wide ascii
$WB5 = "Firefox" wide ascii
$WB6 = "Chrome" wide ascii
condition:
($MZ at 0 and $LKEY) and
(
(5 of ($TS*) and all of ($WB*)) or
(3 of ($VNC*) and all of ($WB*))
)
and filesize < 300KB // Standard size (raw from builder) should be arround ~264kb
// Remove the above line if you want to trig also on memory dumps, etc...
}
rule Atmos_Packed_Malware : Packed Atmos Banker
{
meta:
description = "Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer"
author = "xylitol@temari.fr"
reference = "http://www.xylibox.com/2016/02/citadel-0011-atmos.html"
date = "02/08/2016"
// May only the challenge guide you
strings:
$MZ = {4D 5A}
// Entry point identifier with CreateThread pointer in '??'
$a = {55 8B EC 83 EC 0C 53 56 8B 35 ?? ?? ?? 00 57 33 DB BF 00 28 00 00}
// End of main proc with sleep value in '??' and api call to sleep in '??'
$b = {68 ?? ?? ?? ?? FF 15 ?? ?? ?? 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3}
// API String identifier (ShellExecuteExW, SHELL32.dll, GetUserNameExW, Secur32.dll)
$c = {53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65}
$d = {74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00}
// New Thread identifier
$e = {55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 ?? 6A FF FF 75 08 FF 15 ?? ?? ?? 00}
condition:
all of them
and filesize < 300KB // Standard size (raw from builder) should be arround ~264kb
// Remove the above line if you want to trig also on memory dumps, etc...
}
rule Atmos_Builder : Cracked kutuzov Builder
{
meta:
description = "Generic signature for Hacktool.Atmos.Builder cracked version"
author = "xylitol@temari.fr"
reference = "http://www.xylibox.com/2016/02/citadel-0011-atmos.html"
date = "02/08/2016"
// May only the challenge guide you
strings:
// Check for the presence of MZ, kutuzov license identifier, and good hardware ID
$MZ = {4D 5A}
$LKEY = "533D9226E4C1CE0A9815DBEB19235AE4" wide ascii
$HWID = "D19FC0FB14BE23BCF35DA427951BB5AE" wide ascii
// Builder strings identifiers
$s1 = "url_loader=%S" wide ascii
$s2 = "url_webinjects=%S" wide ascii
$s3 = "url_tokenspy=%S" wide ascii
$s4 = "file_webinjects=%S" wide ascii
$s5 = "moneyparser.enabled=%u" wide ascii
$s6 = "enable_luhn10_post=%u" wide ascii
$s7 = "insidevm_enable=%u" wide ascii
$s8 = "disable_antivirus=%u" wide ascii
condition:
$MZ at 0 and $LKEY and $HWID and all of ($s*)
}
Code: Select all
5990ce3620aafb9555a5629ed334de9fb5e98bf19d0689c64f7b466cf1bca5cd - aconnectgateway.com/webfaq/oziozbrnxxsaltavast.php|file=usagold.xml
17e86cec586fce0e2f4e4a99f6a5ba9e105e2515624ccdfdad53f991b4976bec - sofyan-kecita.tk/admin/file.php|file=us.xml
91c666f22a64ad226f08fe8a1e14fe447fcb36365276039ff821695b8c50cbed - fbicybertaskforce.ru/ysaopqkaszqopz.php|file=hawala.xml
f4649feb962aa94fd26969e27f08ed379302e59c56ebeeb63553c056786d0fd3 - qawsf1gy.bget.ru/bget.ru/file.php|file=us.xml
8385ea67413151383cfafb1b060804c062467b6428d9d86feaceb6832b19517f - j0k3rj0k3r.tk/sys/system//file.php|file=us.xml
27a3b0e7f4a67ef56b42dba086f9c5f19cd618cdf0747c5a836221de5e252452 - brausincsystem.pro/webadmin/file.php|file=usa.xml
d824f88da5f87951790429bbf97c4a24c3b03075b5366a682921f00a278d52c2 - derekz.xyz/wp-includes/css/Panel/file.php|file=us.xml
60ac13cda7a9b0b5e98e4082906e2c215d649106a05beb54abb1fbe474c0a629 - 352andro.ru/atmosadm/webadmin/file.php|file=transportfile.xml
6d988ec60d028158617477e0cdf3f9c40c2633bb97b46b29d576d05040612b48 - 103.208.86.48/mmbb/atmos/webadmin/file.php|file=us.xml
cdfd32d99c7b2b910dcdf23b059cc6717a082650d3ff8a524d40a602a4c6c8df - t500is5n.bget.ru/fsgdfhdfhadfhadfhdhfdhadfghdfh/file.php|file=us.xml
e4c6d074c7ea5dc45b6926d7b15327441dcb30097b9b095f8e4221239dacb8b5 - sentembertolls.ru/atmos/file.php|file=usagold.xml
05afbcd2f3801ac0b4954ad9b38e0817fa3914838059008b6b095cb0e632b9c4 - qawsf1gy.bget.ru/file.php|file=us.xml
b0418be73582374076241d23ededbe8ea7ab462b909e1e818e6e791a6bcf7449 - foranalysticsonly.com/test/file.php|file=us.xml
4fbe5ffb8763fa5c2af15328ec7465d189c2a1c3c72a8f2f9d6f70bcc9044a48 - campusvolunteers.org/aaa/Panel/file.php|file=us.xml
fc46cd1d4c991991ee1cecb9a5baa57c6be32419aa0871724ad0289f4601d46c - sjkdhfjkdsf.ru/file.php|file=usa.xml
58c4bf8c7415b11f8142436d00f968863a9b35ddc8ab4204d12d02445bbd2aa9 - opahdiqwklnasd.com/aksasdfw1qizjxnhquw/file.php|file=us.xml
fcb844d62cb56724ebabe097feeed8675956ed758d1acc890352266f3eea30dd - asdlkashdkahsda.ru/gBqjL/webadmin/fg6w9j3h.php|file=td.dll
3c9a5d1823048e7e05175bbaae0ed0f4b3396d85456c6d0a683823e5d8b86309 - krungonline.top/wp-admin/css/Panel/file.php|file=us.xml
f9e5e93936534ac1ed9a85eab8d69cd4c60349466e1085b4e330e0a075119dfc - shopbaite.ru/webfaq/usagold.xml
b89e9d9d79f2945612624d009e8d093b17117deee294321f9a22cdb9bcaec724 - moneygnom.com/PortER/file.php|file=usagold.xml
c850fde451c23c13206282b7ec42c66f5d353bb008078ac10430f13df07472eb - socrd1dw.bget.ru/d0usd90f80sdf8sd8f08dsf8sd0f8/file.php|file=us.xml
26ecd5f51fdd9d6b0f9934a1522bcd28daf6575a6f39225498fb36d099a9cf72 - castro4sucess.biz/test/file.php|file=us.xml
bf238080b149c7d490a0bee41d8d0d022ff88f830ba79f32244307efbd8b5048 - 2.155.245.7/capo/file.php|file=us.xml
70ae8cdf558328e5db4889e99dd1d6ec2e97240d23e5283e27ab199ab7dc8c9f - win10.host/AJh8Sb9J.php|file=YxJwg8Hu.xml
Code: Select all
rule Citadel_Malware : Hexed nss3 Firefox
{
meta:
author = "xylitol@temari.fr"
date = "2015-10-08"
description = "Search for nss3.dll pattern indicating an hexed copy of Citadel malware to work on firefox > v23.0"
// May only the challenge guide you
strings:
$s1 = "Coded by BRIAN KREBS for personal use only. I love my job & wife" wide ascii
$s2 = "nss3.dll" wide ascii
$h1 = {8B C7 EB F5 55 8B EC}
$h2 = {55 8B EC 83 EC 0C 8A 82 00 01 00 00}
$h3 = {3D D0 FF 1F 03 77 ?? 83 7D}
$h4 = {83 F9 66 74 ?? 83 F9 6E 74 ?? 83 F9 76 74 ?? 83 F9 7A}
condition:
all of ($s*) and 2 of ($h*)
}
Atmos can grab google chrome v25.0.1349.2 (2012/12/06), till v43.0.2357.134 (2015/07/14) , while citadel don't work after 19.0.1084.52 if i remember correctly.
https://dl.google.com/chrome/win/4ED6DD ... taller.exe - 86731DC801EDB96D804B1BA2BEBD36D5 (chrome 43 installer)
- Xylitol
- Global Moderator
- Posts: 1652
- Joined: Sat Apr 10, 2010 5:54 pm
- Location: Seireitei, Soul Society
- Contact:
Re: Citadel (Zeus clone)
Russian Hacker “Kolypto” Extradited from Norway ~ https://www.justice.gov/usao-ndga/pr/ru ... ted-norway
Russian Hacker Pleads Guilty to Developing and Distributing Citadel Trojan ~ http://thehackernews.com/2017/03/citade ... acker.html
Russian Hacker Pleads Guilty to Developing and Distributing Citadel Trojan ~ http://thehackernews.com/2017/03/citade ... acker.html