Citadel (Zeus clone)

[EP_X0FF]

@ EP_X0FF

I have run the sample in my VM and I noticed some strange things. If I run it outside BSA it will set the autorun part, if I run it inside BSA it won't.
There are the "usual" registry changes but there is nothing being added to the run key. It is like it puts itself to sleep and then can no longer continue.

Probably it activity restricted by sandbox. Why you want to run malware in VM + Sandboxie?

[Buster_BSA]

@ EP_X0FF

I have run the sample in my VM and I noticed some strange things. If I run it outside BSA it will set the autorun part, if I run it inside BSA it won't.
There are the "usual" registry changes but there is nothing being added to the run key. It is like it puts itself to sleep and then can no longer continue.

Probably the malware is injecting code to a system process and then setting autorun part from there. As Sandboxie does not allow injection to processes running outside the sandbox, the process will fail so autorun too.

[Cassiel]

@ EP_X0FF

Well my idea was to use a VM with BSA in order to have a snapshot if things went wrong.
I tried cuckoo also however I like the reporting from BSA a lot more then cuckoo.

@ Buster_BSA

You are most likely right, I am going to check this with procmon in order to see how the registry keyis being set.


EDIT:

You are right, it is injecting into explorer and after that it is creating the autorun key.

[Buster_BSA]

You are right, it is injecting into explorer and after that it is creating the autorun key.

I would like such injections were being sucessfully done so BSA analysis can be more complete, but the thing depends on Sandboxie´s restrictions. I am going to talk with Ronen about this and I will ask him if there is any workaround to solve the issue.

[bsteo]

Citadel 1.3.5.1 Rain Edition sample. It have some anti-VM and anti-AVS functions, couldn't run it under Comodo and didn't try manually, maybe someone will do.

[EP_X0FF]

Citadel 1.3.5.1 Rain Edition sample. It have some anti-VM

Not found. Except lame trick with GetKeyboardLayoutList (patch two bytes @00418FC6 with nops) and another lame trick with

Code: Select all

ROOT\SECURITYCENTERROOT\SECURITYCENTER2 SELECT * FROM%sWQL
Antivirus Product company Name display Name version Number Unknown Company:%s
Product:%s
Version:%s
Firewall Product 
Software\Microsoft\Windows\CurrentVersion\Uninstall
Publisher Display Name Display Version%u:%s|%s|%s

Code: Select all

SafenSoft SysWatch  McAfee  McAfee Security Center  McAfee SecurityCenter   Symantec Client   Symantec Protection   Symantec Shared   Symantec Security   Norton Protection   Kaspersky Security  Kaspersky Anti-Virus  avast! Antivirus  AntiVir Desktop   AVG Monitor   AVG Service   AVG Security  ESET Security   ESET Antivirus  Microsoft Inspection  Microsoft Malware   Microsoft Security

+ http://www.kernelmode.info/forum/viewto ... 553#p17553

Patched Zeus result (full disclosure).
http://camas.comodo.com/cgi-bin/submit? ... f9856e4263

No matter how it named - zeus, ice-ix, citadel it all the same slavik shit.

[bsteo]

Thank you very much for the tips and help

[Xylitol]

Code: Select all

• dns: 1 ›› ip: 62.109.1.7 - adresse: CITAB-TEST.TK
http://62.109.1.7/net/panel.php?m=login

Code: Select all

http://62.109.1.7/net/install/
• [0] - Connecting to MySQL as 'citab-test'.
• [0] - Selecting DB 'citab-test'.
• [0] - Updating table 'botnet_list'.
• [0] - Creating table 'botnet_reports'.
• [0] - Updating table 'botnet_reports_130119'.
• [0] - Filling table 'ipv4toc'.
• [0] - Creating table 'ipv4toc'.
• [3] - Updating table 'cp_users'.
• [3] - Updating table 'botnet_scripts'.
• [3] - Updating table 'botnet_scripts_stat'.
• [3] - Updating table 'botnet_software_stat'.
• [3] - Updating table 'exe_updates'.
• [3] - Updating table 'exe_updates_crypter'.
• [3] - Updating table 'accparse_rules'.
• [3] - Updating table 'accparse_accounts'.
• [3] - Updating table 'vnc_bot_connections'.
• [3] - Updating table 'jabber_messages'.
• [3] - Updating table 'botnet_screenshots'.
• [3] - Updating table 'botnet_rep_favorites'.
• [3] - Updating table 'botnet_activity'.
• [3] - Updating table 'botnet_webinjects_group'.
• [3] - Updating table 'botnet_webinjects_group_perms'.
• [3] - Updating table 'botnet_webinjects'.
• [3] - Updating table 'botnet_webinjects_bundle'.
• [3] - Updating table 'botnet_webinjects_bundle_execlim'.
• [3] - Updating table 'botnet_webinjects_bundle_members'.
• [3] - Updating table 'botnet_webinjects_history'.
• [3] - Creating folder '_logos'.
• [3] - Writing config file
• [3] - Searching for the god particle...
• [3] - Creating folder 'system/data'.
• [3] - Creating folder 'public'.
• [3] - Creating folder 'files'.
• [3] - Creating folder 'files/webinjects'.
-- Update complete! --

No matter how it named - zeus, ice-ix, citadel it all the same slavik shit.

Code: Select all

-l admin -P pwd.lst -s 80 -w 64 -f -V 62.109.1.7 http-post-form "/net/panel.php?m=login:user=admin&pass=^PASS^:Bad user name or password."

And it's the same command for bruteforce Zeus, Ice9, Citadel.

[bsteo]

If someone needs the PHP Admin Panel of this slavik mod shit let me know I can upload it.

[R136a1]

Seems like Citadel is the new favorite toy of some criminal gangs targeting government organizations:

McAfee Blog: http://blogs.mcafee.com/mcafee-labs/lab ... del-trojan

HitmanPro Blog: https://hitmanpro.wordpress.com/2013/02 ... onnection/