[tomchop]

Thanks a lot for this. I'll try to cook up a volatility plugin this week.

[Xylitol]

Cool, that would be nice to have a vol plugin for this version.

In attachment, Citadel 1.3.5.1 targeting France.
https://www.virustotal.com/en/file/a5b9 ... 460632261/

Code: Select all

!https://adsl.free.fr*
!https://www.google.fr*
!https://extranet.sfrbusinessteam.fr*
#*crelan-online.be/*
#*.societegenerale.fr/*
#*bnpparibasfortis.be/*
#*.bnpparibas.net/*
#*cic.fr/*
#*edi05.cedricom.fr/*
#*.credit-agricole.fr/*
#*entreprises.ca-languedoc.fr/*
#*creditmutuel.fr/*
#*labanquepostale.fr/*
#*.lcl.fr/*
#*hsbc.fr/*
#*hsbc.com/*
#*hsbc.net/*
#*hsbcnet.com/*
#*hsbcprivatebank.com/*
#*accesd.affaires.desjardins.com/*
#*easywebsoc.td.com/*
#*scotiabank.com/*
#*edibanque.com.fr/*
#*.banquepopulaire.fr/*
#*banque-courtois.fr/*
#*credit-du-nord.fr/*
#*ing.be/*
#*fortuneo.fr/*
#*cmb.fr/*
#*cmmc.fr/*
#*cmso.com/*
#*bpe.fr/*
#*cofinoga.fr/*
#*boursorama.com/*
#*hellobank.fr/*
#*arkea-banque-ei.com/*
#*arkeabanqueprivee.fr/*
#*axabanque.fr/*
#*monabanq.com/*
#*bemix.fr/*
#*banque-accord.fr/*
#*.caisse-epargne.fr/*
#*.paypal./*
https://www.cic.fr/*/*/*/default.cgi
https://www.cic.fr/fr/*
https://*.banquepopulaire.fr*.aspx*
https://*.banquepopulaire.fr*.html*
https://*.banquepopulaire.fr*.do*
http*://*.creditmutuel.fr/*
http*://*.labanquepostale.fr/*releveCPP-releve_ccp.ea*
*uel.fr*situation_financiere*
*c.fr*situation_financiere*
*uel.fr*situation_financiere*

Also from config:

Code: Select all

ecbl-lcl.exe; -lbp.exe; ecbl-cnce.exe; ecbl-sg.exe; ecbl-nxbp.exe; java.exe; jusched.exe; NOTEPAD.EXE

Process 'ecbl' stand for e-Carte Bleue, a service well promoted in france to generate a unique credit card number with the amount of money you want.
There is different flavors of the executable depending on the bank you are on (ecbl-sg.exe for Société Generale, ecbl-lcl.exe for Le Crédit Lyonnais, etc...)
Obviously the generated credit card is linked to your main banking account, it's a good idea to use this feature but if you get your credentials stolen.... bad guys can generate credit card too ;)
nspr4 changed also to nss3 (lol?)

[Xylitol]

https://zeustracker.abuse.ch/monitor.ph ... -france.fr
Citadel 1.3.5.1 targeting France.

[Xylitol]

some more

[Xylitol]

Atmos

[Xylitol]

https://www.virustotal.com/en/file/be1a ... 466354134/

[Xylitol]

MMD-0054-2016 - ATMOS botnet facts you should know ~ http://blog.malwaremustdie.org/2016/06/ ... facts.html

yara rules who should do the tricks for Atmos.

Code: Select all

rule Atmos_Malware : kutuzov_101 Banker Atmos
{
    meta:
    	description = "Generic Spyware.Citadel.Atmos Signature"
    	author = "xylitol@temari.fr"
    	reference = "http://www.xylibox.com/2016/02/citadel-0011-atmos.html"
    	date = "02/08/2016"
    	// May only the challenge guide you

    strings:
    	// Check for the presence of MZ and kutuzov license identifier
    	$MZ = {4D 5A}
    	$LKEY = "533D9226E4C1CE0A9815DBEB19235AE4" wide ascii
    	
    	// TokenSpy identifiers
    	$TS1 = "X-TS-Rule-Name: %s" wide ascii
    	$TS2 = "X-TS-Rule-PatternID: %u" wide ascii
    	$TS3 = "X-TS-BotID: %s" wide ascii
    	$TS4 = "X-TS-Domain: %s" wide ascii
    	$TS5 = "X-TS-SessionID: %s" wide ascii
    	$TS6 = "X-TS-Header-Cookie: %S" wide ascii
    	$TS7 = "X-TS-Header-Referer: %S" wide ascii
    	$TS8 = "X-TS-Header-AcceptEncoding: %S" wide ascii
    	$TS9 = "X-TS-Header-AcceptLanguage: %S" wide ascii
    	$TS10 = "X-TS-Header-UserAgent: %S" wide ascii
    	
    	// Hidden VNC identifiers
    	$VNC1 = "_hvnc_init@4" wide ascii
    	$VNC2 = "_hvnc_uninit@0" wide ascii
    	$VNC3 = "_hvnc_start@8" wide ascii
    	$VNC4 = "_hvnc_stop@0" wide ascii
    	$VNC5 = "_hvnc_wait@0" wide ascii
    	$VNC6 = "_hvnc_work@0" wide ascii
    	
    	// Browsers identifiers
    	$WB1 = "nspr4.dll" wide ascii
    	$WB2 = "nss3.dll" wide ascii
    	$WB3 = "chrome.dll" wide ascii
    	$WB4 = "Internet Explorer" wide ascii
    	$WB5 = "Firefox" wide ascii
    	$WB6 = "Chrome" wide ascii

    condition:
	($MZ at 0 and $LKEY) and
	(
		(5 of ($TS*) and all of ($WB*)) or
		(3 of ($VNC*) and all of ($WB*))
	)
	and filesize < 300KB // Standard size (raw from builder) should be arround ~264kb
    // Remove the above line if you want to trig also on memory dumps, etc...
}


rule Atmos_Packed_Malware : Packed Atmos Banker
{
    meta:
    	description = "Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer"
    	author = "xylitol@temari.fr"
    	reference = "http://www.xylibox.com/2016/02/citadel-0011-atmos.html"
    	date = "02/08/2016"
    	// May only the challenge guide you

    strings:
    	$MZ = {4D 5A}
    	
    	// Entry point identifier with CreateThread pointer in '??' 
    	$a = {55 8B EC 83 EC 0C 53 56 8B 35 ?? ?? ?? 00 57 33 DB BF 00 28 00 00}
	
    	// End of main proc with sleep value in '??' and api call to sleep in '??'
    	$b = {68 ?? ?? ?? ?? FF 15 ?? ?? ?? 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3}

    	// API String identifier (ShellExecuteExW, SHELL32.dll, GetUserNameExW, Secur32.dll)
    	$c = {53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65}
    	$d = {74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00}
		
    	// New Thread identifier
    	$e = {55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 ?? 6A FF FF 75 08 FF 15 ?? ?? ?? 00}
		
    condition:
    	all of them
    	and filesize < 300KB // Standard size (raw from builder) should be arround ~264kb
    	// Remove the above line if you want to trig also on memory dumps, etc...
}


rule Atmos_Builder : Cracked kutuzov Builder
{
    meta:
    	description = "Generic signature for Hacktool.Atmos.Builder cracked version"
    	author = "xylitol@temari.fr"
    	reference = "http://www.xylibox.com/2016/02/citadel-0011-atmos.html"
    	date = "02/08/2016"
    	// May only the challenge guide you

    strings:
    	// Check for the presence of MZ, kutuzov license identifier, and good hardware ID
    	$MZ = {4D 5A}
    	$LKEY = "533D9226E4C1CE0A9815DBEB19235AE4" wide ascii
    	$HWID = "D19FC0FB14BE23BCF35DA427951BB5AE" wide ascii

    	// Builder strings identifiers
    	$s1 = "url_loader=%S" wide ascii
    	$s2 = "url_webinjects=%S" wide ascii
    	$s3 = "url_tokenspy=%S" wide ascii
    	$s4 = "file_webinjects=%S" wide ascii
    	$s5 = "moneyparser.enabled=%u" wide ascii
    	$s6 = "enable_luhn10_post=%u" wide ascii
    	$s7 = "insidevm_enable=%u" wide ascii
    	$s8 = "disable_antivirus=%u" wide ascii
		
    condition:
    	$MZ at 0 and $LKEY and $HWID and all of ($s*)
}

So far, here some samples from the rules:

Code: Select all

5990ce3620aafb9555a5629ed334de9fb5e98bf19d0689c64f7b466cf1bca5cd - aconnectgateway.com/webfaq/oziozbrnxxsaltavast.php|file=usagold.xml
17e86cec586fce0e2f4e4a99f6a5ba9e105e2515624ccdfdad53f991b4976bec - sofyan-kecita.tk/admin/file.php|file=us.xml
91c666f22a64ad226f08fe8a1e14fe447fcb36365276039ff821695b8c50cbed - fbicybertaskforce.ru/ysaopqkaszqopz.php|file=hawala.xml
f4649feb962aa94fd26969e27f08ed379302e59c56ebeeb63553c056786d0fd3 - qawsf1gy.bget.ru/bget.ru/file.php|file=us.xml
8385ea67413151383cfafb1b060804c062467b6428d9d86feaceb6832b19517f - j0k3rj0k3r.tk/sys/system//file.php|file=us.xml
27a3b0e7f4a67ef56b42dba086f9c5f19cd618cdf0747c5a836221de5e252452 - brausincsystem.pro/webadmin/file.php|file=usa.xml
d824f88da5f87951790429bbf97c4a24c3b03075b5366a682921f00a278d52c2 - derekz.xyz/wp-includes/css/Panel/file.php|file=us.xml
60ac13cda7a9b0b5e98e4082906e2c215d649106a05beb54abb1fbe474c0a629 - 352andro.ru/atmosadm/webadmin/file.php|file=transportfile.xml
6d988ec60d028158617477e0cdf3f9c40c2633bb97b46b29d576d05040612b48 - 103.208.86.48/mmbb/atmos/webadmin/file.php|file=us.xml
cdfd32d99c7b2b910dcdf23b059cc6717a082650d3ff8a524d40a602a4c6c8df - t500is5n.bget.ru/fsgdfhdfhadfhadfhdhfdhadfghdfh/file.php|file=us.xml
e4c6d074c7ea5dc45b6926d7b15327441dcb30097b9b095f8e4221239dacb8b5 - sentembertolls.ru/atmos/file.php|file=usagold.xml
05afbcd2f3801ac0b4954ad9b38e0817fa3914838059008b6b095cb0e632b9c4 - qawsf1gy.bget.ru/file.php|file=us.xml
b0418be73582374076241d23ededbe8ea7ab462b909e1e818e6e791a6bcf7449 - foranalysticsonly.com/test/file.php|file=us.xml
4fbe5ffb8763fa5c2af15328ec7465d189c2a1c3c72a8f2f9d6f70bcc9044a48 - campusvolunteers.org/aaa/Panel/file.php|file=us.xml
fc46cd1d4c991991ee1cecb9a5baa57c6be32419aa0871724ad0289f4601d46c - sjkdhfjkdsf.ru/file.php|file=usa.xml
58c4bf8c7415b11f8142436d00f968863a9b35ddc8ab4204d12d02445bbd2aa9 - opahdiqwklnasd.com/aksasdfw1qizjxnhquw/file.php|file=us.xml
fcb844d62cb56724ebabe097feeed8675956ed758d1acc890352266f3eea30dd - asdlkashdkahsda.ru/gBqjL/webadmin/fg6w9j3h.php|file=td.dll
3c9a5d1823048e7e05175bbaae0ed0f4b3396d85456c6d0a683823e5d8b86309 - krungonline.top/wp-admin/css/Panel/file.php|file=us.xml
f9e5e93936534ac1ed9a85eab8d69cd4c60349466e1085b4e330e0a075119dfc - shopbaite.ru/webfaq/usagold.xml
b89e9d9d79f2945612624d009e8d093b17117deee294321f9a22cdb9bcaec724 - moneygnom.com/PortER/file.php|file=usagold.xml
c850fde451c23c13206282b7ec42c66f5d353bb008078ac10430f13df07472eb - socrd1dw.bget.ru/d0usd90f80sdf8sd8f08dsf8sd0f8/file.php|file=us.xml
26ecd5f51fdd9d6b0f9934a1522bcd28daf6575a6f39225498fb36d099a9cf72 - castro4sucess.biz/test/file.php|file=us.xml
bf238080b149c7d490a0bee41d8d0d022ff88f830ba79f32244307efbd8b5048 - 2.155.245.7/capo/file.php|file=us.xml
70ae8cdf558328e5db4889e99dd1d6ec2e97240d23e5283e27ab199ab7dc8c9f - win10.host/AJh8Sb9J.php|file=YxJwg8Hu.xml

And also one for Citadel, specifically for 'hexed' samples (when bad guys are to poor to afford product, they manually fix nspr4 to nss3)

Code: Select all

rule Citadel_Malware : Hexed nss3 Firefox
{
	meta:
		author = "xylitol@temari.fr"
		date = "2015-10-08" 
		description = "Search for nss3.dll pattern indicating an hexed copy of Citadel malware to work on firefox > v23.0"
		// May only the challenge guide you

	strings:
		$s1 = "Coded by BRIAN KREBS for personal use only. I love my job & wife" wide ascii
		$s2 = "nss3.dll" wide ascii

		$h1 = {8B C7 EB F5 55 8B EC}
		$h2 = {55 8B EC 83 EC 0C 8A 82 00 01 00 00}
		$h3 = {3D D0 FF 1F 03 77 ?? 83 7D}
		$h4 = {83 F9 66 74 ?? 83 F9 6E 74 ?? 83 F9 76 74 ?? 83 F9 7A}

	condition:
		all of ($s*) and 2 of ($h*)
}

This one is a good example: http://www.kernelmode.info/forum/viewto ... 007#p28313
Atmos can grab google chrome v25.0.1349.2 (2012/12/06), till v43.0.2357.134 (2015/07/14) , while citadel don't work after 19.0.1084.52 if i remember correctly.
https://dl.google.com/chrome/win/4ED6DD ... taller.exe - 86731DC801EDB96D804B1BA2BEBD36D5 (chrome 43 installer)

[Xylitol]

Russian Hacker “Kolypto” Extradited from Norway ~ https://www.justice.gov/usao-ndga/pr/ru ... ted-norway
Russian Hacker Pleads Guilty to Developing and Distributing Citadel Trojan ~ http://thehackernews.com/2017/03/citade ... acker.html