A forum for reverse engineering, OS internals and malware analysis 

Citadel (Zeus clone)

Forum for analysis and discussion about malware.

Re: Citadel (Zeus clone)

 #19597  by Xylitol
 Mon Jun 10, 2013 6:44 pm
Citadel 1.3.5.1 targeting wellsfargo.com domains *again*
In attach config and decoded + plugins and sample.
Code: Select all
Drop: hxtp://pizdecnujzno.ru/ci/stuk.php
Update:
hxtp://programcam.ru/ci/file.php|file=config.bin
hxtp://seantit.ru/ci/file.php|file=config.bin
hxtp://ochengorit.ru/ci/file.php|file=config.dll
hxtp://pizdecnujzno.ru/ci/file.php|file=config.dll
Key: E3 CB 78 A2 67 ED D7 13 AF 76 12 78 02 84 54 FA
login key: 7114B0C95C94D1BD7E3E2CC9B6BF4BDE
Attachments
infected
(232.34 KiB) Downloaded 189 times

Re: Citadel (Zeus clone)

 #19616  by Xylitol
 Wed Jun 12, 2013 5:27 pm
Citadel 1.3.5.1 targeting wellsfargo.com domains *again*
In attach config and decoded + plugins and sample.
Code: Select all
Drop: hxtp://pauldomain.com/foam.php
Update:
hxtp://pauldomain.com/file.php|file=soft.exe
hxtp://reserve-host1/folder/file.php|file=config.bin (?!)
hxtp://reserve-host2/folder/file.php|file=config.bin (?!)
Key: EC 61 FA D8 34 37 3F 3B 69 96 37 2B 10 66 C6 05
login key: C1F20D2340B519056A7D89B7DF4B0FFF
Attachments
infected
(1.07 MiB) Downloaded 168 times

Re: Citadel (Zeus clone)

 #19617  by Xylitol
 Wed Jun 12, 2013 5:42 pm
Citadel 1.3.5.1 targeting wellsfargo.com domains *again*
In attach config and decoded + plugins and sample.
Code: Select all
Drop: hxtp://77.234.208.71/SOME/gate.php
Update:
hxtp://77.234.208.71/SOME/file.php|file=soft.exe
hxtp://184.82.235.213/SOME/file.php|file=config.dll
hxtp://panamadfrfrfirect.org/some/file.php|file=config.dll
Key: 7C BB 17 F9 7C 49 21 C6 F0 0B 55 4E ED 1F 4F F2
login key: C1F20D2340B519056A7D89B7DF4B0FFF
Attachments
infected
(656.11 KiB) Downloaded 173 times

Re: Citadel (Zeus clone)

 #19671  by tildedennis
 Mon Jun 17, 2013 8:00 pm
Xylitol,

Would you be up for writing a walk through on how you're extracting the RC4 and AES key from Citadel samples and decrypting the configs ?

Thanks much!

Re: Citadel (Zeus clone)

 #19830  by tildedennis
 Wed Jun 26, 2013 2:12 pm
The AhnLabs analysis is great, but I feel like it leaves some to be desired on the crypto. Doing my own reversing, the 2 AES functions map pretty closely to OpenSSL's AES_set_decrypt_key() and AES_decrypt() functions. Regardless of what I try though, I can't get the configs to decrypt via the openssl command line (openssl enc -aes-128-ecb -d -in config.dll -out decrypted -K 7CBB17F97C4921C6F00B554EED1F4FF2 -iv 0) (I take into account the post-AES XOR obfuscation). I also played with CBC mode (using the first 16 bytes of the config as the IV), even though I didn't see an IV being extracted/combined with the ciphertext in the code.

Are other researchers just dumping configs from a debugger or am I'm overlooking something? Has anyone been able to decrypt the configs via openssl command?

Thanks much!

Re: Citadel (Zeus clone)

 #20004  by Xylitol
 Sun Jul 07, 2013 11:52 am
a bit late this one have no webinject, only webfilter targeting france, sample come from botmaster 'Dahou'
Image
Code: Select all
#*libertyreserve.com/*
#*banquepostale.com/*
#*banquepostale.fr/*
#*caisse-epargne.fr/*
#*bnpparibas.net/
#*societegenerale.fr/*
#*credit-agricole.fr/*
#*lcl.fr/*
#*axabanque.fr/*
#*groupama.fr/*
Code: Select all
Version 1.3.5.1
Key: A9 B6 0C E0 9E 1D CB EF 75 57 7F DA 13 B8 7B 25
Citadel login key: F5F4D5EBD5855E904AB8DB757D320604
Drop: http://vg-update.ru/Nqcrtm/rKM6Eg/6LmAUI/header.php
Infection: http://vg-update.ru/Nqcrtm/rKM6Eg/6LmAUI/file.php|file=great.exe
Config: http://vg-update.ru/Nqcrtm/rKM6Eg/6LmAUI/file.php|file=config-bin.dll
Attachments
infected
(534.74 KiB) Downloaded 100 times

Re: Citadel (Zeus clone)

 #20008  by Xylitol
 Sun Jul 07, 2013 6:32 pm
Solving old stuff
exitthematrix wrote:Citadel 1.3.5.1 Rain Edition sample. It have some anti-VM and anti-AVS functions, couldn't run it under Comodo and didn't try manually, maybe someone will do.
Code: Select all
Version 1.3.5.1
Key: 15 7E B5 8D CE DC BA E6 CB 39 84 F6 36 36 5C DB
Citadel login key: C1F20D2340B519056A7D89B7DF4B0FFF
Dead config: http://citab-test.tk/net/file.php|file=test.dat
---
gritland wrote:zeus mode (maybe citadel)
cant decrypt config file
I don't think this is Citadel... not communicating like Cit.
And communicate with a WSO Shell (??!) hxxp://doshiamit.net/wp-content/plugins/widgets/blog.php?t=1
---
Xylitol wrote:Some files (php/exe) dumped from Citadel 1.3.4.5 server

Image
https://zeustracker.abuse.ch/monitor.ph ... orumin.net
There is also a bleeding life v2:
Code: Select all
hxxp://fastforumin.net:808/sp/statistics/login.php
Real gate:
Code: Select all
hxxp://5.9.62.149:50800/mainsession/gate.php
C&C:
Code: Select all
hxxp://5.9.62.149:50800/mainsession/cp.php
lulz:
Code: Select all
hxxp://5.9.62.149:50800/mainsession/install/
• [0] - Connecting to MySQL as 'joe'.
• [0] - Selecting DB 'joe_bot_db1'.
• [0] - Updating table 'botnet_list'.
• [0] - Creating table 'botnet_reports'.
• [0] - Updating table 'botnet_reports_120812'.
• [0] - Updating table 'botnet_reports_120813'.
• [0] - Updating table 'botnet_reports_120814'.
• [0] - Updating table 'botnet_reports_120815'.
• [0] - Updating table 'botnet_reports_120816'.
• [0] - Updating table 'botnet_reports_120817'.
• [0] - Updating table 'botnet_reports_120818'.
• [0] - Updating table 'botnet_reports_120819'.
• [0] - Updating table 'botnet_reports_120820'.
• [0] - Updating table 'botnet_reports_120821'.
• [0] - Updating table 'botnet_reports_120822'.
• [0] - Updating table 'botnet_reports_120823'.
• [0] - Updating table 'botnet_reports_120824'.
• [0] - Updating table 'botnet_reports_120825'.
• [0] - Updating table 'botnet_reports_120826'.
• [0] - Updating table 'botnet_reports_120827'.
• [0] - Updating table 'botnet_reports_120828'.
• [0] - Updating table 'botnet_reports_120829'.
• [0] - Updating table 'botnet_reports_120830'.
• [0] - Updating table 'botnet_reports_120831'.
• [0] - Updating table 'botnet_reports_120901'.
• [0] - Updating table 'botnet_reports_120902'.
• [0] - Updating table 'botnet_reports_120903'.
• [0] - Updating table 'botnet_reports_120904'.
• [0] - Updating table 'botnet_reports_120905'.
• [0] - Updating table 'botnet_reports_120906'.
• [0] - Updating table 'botnet_reports_120907'.
• [0] - Updating table 'botnet_reports_120908'.
• [0] - Updating table 'botnet_reports_120909'.
• [0] - Updating table 'botnet_reports_120910'.
• [0] - Updating table 'botnet_reports_120911'.
• [0] - Updating table 'botnet_reports_120912'.
• [0] - Updating table 'botnet_reports_120925'.
• [0] - Updating table 'botnet_reports_120926'.
• [0] - Updating table 'botnet_reports_120929'.
• [0] - Updating table 'botnet_reports_120930'.
• [0] - Updating table 'botnet_reports_121001'.
• [0] - Updating table 'botnet_reports_121002'.
• [0] - Updating table 'botnet_reports_121003'.
• [0] - Updating table 'botnet_reports_121004'.
• [0] - Updating table 'botnet_reports_121005'.
• [0] - Updating table 'botnet_reports_121006'.
• [0] - Updating table 'botnet_reports_121007'.
• [0] - Updating table 'botnet_reports_121011'.
• [0] - Updating table 'botnet_reports_121012'.
• [0] - Updating table 'botnet_reports_121013'.
• [0] - Updating table 'botnet_reports_121014'.
• [0] - Updating table 'botnet_reports_121015'.
• [0] - Updating table 'botnet_reports_121016'.
• [0] - Filling table 'ipv4toc'.
• [1] - Creating table 'ipv4toc'.
• [3] - Updating table 'cp_users'.
• [3] - Updating table 'botnet_scripts'.
• [3] - Updating table 'botnet_scripts_stat'.
• [3] - Updating table 'botnet_software_stat'.
• [3] - Updating table 'exe_updates'.
• [3] - Updating table 'exe_updates_crypter'.
• [3] - Updating table 'botnet_rep_domains'.
• [3] - Updating table 'botnet_rep_domainlogs'.
• [3] - Updating table 'accparse_rules'.
• [3] - Updating table 'accparse_accounts'.
• [3] - Updating table 'vnc_bot_connections'.
• [3] - Updating table 'botnet_rep_dedup'.
• [3] - Updating table 'jabber_messages'.
• [3] - Updating table 'botnet_rep_iframer'.
• [3] - Updating table 'botnet_rep_filehunter'.
• [3] - Updating table 'botnet_screenshots'.
• [3] - Updating table 'botnet_rep_favorites'.
• [3] - Updating table 'botnet_activity'.
• [3] - Creating folder '_reports102979970'.
• [3] - Writing config file
• [3] - Searching for the god particle...
• [3] - Creating folder 'system/data'.
• [3] - Creating folder 'public'.
-- Update complete! --
Code: Select all
Version: 1.3.4.5
Key: 95 CE CC E5 25 E2 5B 0B 0C 5E 12 A4 14 B8 9A 26
Login key: 13848FB885AC32D12CDEEB5FD78D1CB9
Drop: http://fastforumin.net:808/gameallodonline.php
Infection: http://fastforumin.net:808/file.php|file=bbbllasw.exe
Config: http://rezervniy-domain.ru/webserver/file.php|file=citadelconfig.bin
config decoded in attach.
Attachments
infected
(325.94 KiB) Downloaded 85 times

Re: Citadel (Zeus clone)

 #20037  by Xylitol
 Wed Jul 10, 2013 12:20 pm
Citab builder leaked (C1F20D2340B519056A7D89B7DF4B0FFF)
https://www.virustotal.com/en/file/1031 ... 373457354/
https://www.virustotal.com/en/file/f9e9 ... 373459345/
Malwarebytes: Hacktool.Citadel.Builder
epic detection
Attachments
infected
(4.61 MiB) Downloaded 136 times

Re: Citadel (Zeus clone)

 #20040  by rough_spear
 Wed Jul 10, 2013 7:41 pm
Hi All, :D

Citadel 1.3.4.5 builder+Panel and User Manual.

I know version is older than what xylitol had posted earlier, but i m posting it along with user Manual.

This manual includes information regarding bot(Zeus) and its commands.

How to setup and configure the servers(http and mysql).

Regards,

rough_spear. ;)
Attachments
(1.21 MiB) Downloaded 135 times
password - infected.
(2.77 MiB) Downloaded 139 times
  • 1
  • 4
  • 5
  • 6
  • 7
  • 8
  • 20
 Return to “Malware”