Monday, April 8, 2013

CNC analysis of Citadel Trojan Bot-Agent - Part 1: with Wireshark

We received request to help in investigating latest Citadel bot agent & config dropper C2 sites exist in the internet for the evidence shutdown purpose. The investigation started and we posted some results here, overall analysis consists the sensitive information that we cannot disclose all of them, so please kindly bear with the materials posted.

(For the reference analysis of the Citadel that can be used as reference to this analysis, I recommend you to read Malware Analysis: Citadel bu AhnLab-->>[HERE])

By some reference we figured the latest citadel config dropper url contains regex:

\/file.php\|file\=
A quick search resulted in the below infection urls:
The trojan downloader
h00p://www.keihingroup.co.jp/libraries/joomla/access/file.php|file=4mar.exe
h00p://metabor.com/analytics/file.php|file=tok.exe
h00p://91.217.254.63/ara1/file.php|file=citadelbuild.exe
and the config files
h00p://k-k131.co.jp/administrator/templates/system/html/file.php|file=conf.bin
h00p://apenhaimcanadaupdate4.com/CiTys897yusa072assSA/file.php|file=config.dll
h00p://womancasdorinosvictor.com/CiTys897yusa072assSA/file.php|file=config.bin
h00p://uredasqopjerl.net/tables/file.php|file=zcfg.bin
↑as you can see there are a Joomla! & Wordpress sites.

A regex search in URLquery will resulted into many infected sites as per below picture, you can click it to see the result.

Since the shutdown effort was prioritized in this case, we would like to share detail analysis we had in the infected file downloaded from the first url only, as per I uploaded in the Virus Total in detail as per below, in this url -->>[HERE]

Virus Total check result of the downloaded 4mar.exe showed:

SHA256: 97aafc6e53eaedc1ecf07c996b181fbfeec4bca88007114a961d148e6abb414f
SHA1: 58283aeaa4737ccd485181ca31c067f37885905e
MD5: 699e84682acdf3304fc79014e30eb11f
File size: 241.5 KB ( 247296 bytes )
File name: 4mar.exe
File type: Win32 EXE
Tags: peexe armadillo
Detection ratio: 28 / 46
Analysis date: 2013-04-08 04:49:49 UTC ( 2 hours, 16 minutes ago )
Detection rates is not bad:
File ./4mar.exe with MD5 699e84682acdf3304fc79014e30eb11f
---------------------------------------------------------
nProtect                 : Trojan.Generic.KDV.906991
McAfee                   : Artemis!699E84682ACD
Malwarebytes             : Trojan.Zbot.HEEP
Symantec                 : WS.Reputation.1
Norman                   : ZBot.GSSC
ESET-NOD32               : a variant of Win32/Injector.AEDR
TrendMicro-HouseCall     : TROJ_SPNR.0BCO13
Avast                    : Win32:Crypt-OZC [Trj]
Kaspersky                : Trojan-Spy.Win32.Zbot.jwcj
BitDefender              : Trojan.Generic.KDV.906991
Sophos                   : Mal/Generic-S
Comodo                   : UnclassifiedMalware
F-Secure                 : Trojan.Generic.KDV.906991
VIPRE                    : Trojan.Win32.Generic!BT
AntiVir                  : TR/PSW.Zbot.1039
TrendMicro               : TROJ_SPNR.0BCO13
McAfee-GW-Edition        : Artemis!699E84682ACD
Emsisoft                 : Trojan.Win32.Injector.AEDR.AMN (A)
Microsoft                : PWS:Win32/Zbot
SUPERAntiSpyware         : Trojan.Agent/Gen-Festo
GData                    : Trojan.Generic.KDV.906991
Commtouch                : W32/Trojan.LIMH-2300
AhnLab-V3                : Spyware/Win32.Zbot
VBA32                    : TrojanSpy.Zbot.jwcj
Ikarus                   : Trojan-Spy.Win32.Zbot
Fortinet                 : W32/Injector.AEDR
AVG                      : Dropper.Generic7.COPV
Panda                    : Trj/CI.A

Quick review, snapshots & sample of the infection

The 4mar.exe is a well known malware as Citadel bot agent trojan. If the malware run in your PC it will decrypt itself then self copied & install the configuration file as per shown below:

And the inside of config file dropped in above picture looks like this:

the installation of this Citadel bot agent can be viewed with some injection of malicious processes as per below steps:

After this the registry autostart, config saved binary & the self-deletion of batch files+first dropper trojan will be done.

A lot of requests to the Remote Host (suspected C2) like:

Some snapshot registry saved configuration encrypted binary:

In the analysis section we will add more details. This quick review was written for research purpose to quick recognize the same threat spotted alive and infectious in the internet.

The self copied Citadel bot agent has polymorphic its signature into other hash since the self-decrypting process (see the reference PDF page 3), below snapshot is the comparison binary before and after decrypted:

For your comparison purpose I upload new hash generated of self-decrypted malware (maca.exe) into Virus Total too-->>[HERE]
With the result of detection below:

SHA256: 411c56f4a8d3127139da30a1eb468af23770ab00a58a0caa6809c1b4ed56b1b1
SHA1: a42a53082a0d06475e1911dc7a49da90a4896e63
MD5: e292e07eaa5e1eadb7c08ed9a59e38bb
File size: 241.5 KB ( 247296 bytes )
File name: maca.exe
File type: Win32 EXE
Tags: peexe armadillo
Detection ratio: 14 / 46
Analysis date: 2013-04-08 05:56:26 UTC ( 1 hour, 18 minutes ago )
With the below malware detection:
F-Secure                 : Gen:Variant.Symmi.17062
GData                    : Gen:Variant.Symmi.17062
VIPRE                    : Trojan.Win32.Generic!BT
AntiVir                  : TR/PSW.Zbot.1039
ESET-NOD32               : a variant of Win32/Injector.AEDR
MicroWorld-eScan         : Gen:Variant.Symmi.17062
Avast                    : Win32:Crypt-OZC [Trj]
Kaspersky                : Trojan-Spy.Win32.Zbot.jwcj
BitDefender              : Gen:Variant.Symmi.17062
Malwarebytes             : Trojan.Zbot.HEEP
Ikarus                   : Trojan-Spy.Win32.Zbot
AVG                      : Dropper.Generic7.COPV
Emsisoft                 : Gen:Variant.Symmi.17062 (B)
SUPERAntiSpyware         : Trojan.Agent/Gen-Festo

Malware Analysis

During the first run in the first 18seconds the Citadel bot detected registry information as per below pastes: https://docs.google.com/file/d/0B_YSil_6KDdqWkhtYzRCUTA3WkU/edit?usp=sharing Creation folder & drops components at:

C:\Documents and Settings\%USER%\Application Data\Aqisme [Random]
C:\Documents and Settings\%USER%\Application Data\Aqisme\maca.exe [Random]
C:\Documents and Settings\%USER%\Application Data\Asanf [Random]
C:\Documents and Settings\%USER%\Application Data\Asanf\gego.eww [Random]
C:\Documents and Settings\%USER%\Application Data\Leni" [Random]
C:\Documents and Settings\%USER%\Application Data\Leni\cioci.mii [Random]
C:\Documents and Settings\%USER%\Application Data\Microsoft\Address Book\%USER%.wab 
..Temp\tmpda63997b.bat [Random]
..\Temp\MPS1.tmp [Random]
Following the below registry activities:
"Setting auto start.."

HKU\..\Microsoft\Windows\CurrentVersion\\Qywirimoy: "C:\Documents and Settings\%USER%\Application Data\Aqisme\maca.exe"

"Some crypto recorded to be set by this malware.."

HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed,SUCCESS,Type: REG_BINARY, Length: 80, Data: 1F 01 A1 E2 6D 40 DD A2 F0 E5 7C B3 7C FA 8A 14
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed,SUCCESS,Type: REG_BINARY, Length: 80, Data: 93 89 C1 90 F9 F2 CE DB 72 D3 C9 79 C7 2E FA 14
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed,SUCCESS,Type: REG_BINARY, Length: 80, Data: 59 3C CE E5 81 D9 47 D3 F1 F7 4F 5E 66 10 B0 E3
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed,SUCCESS,Type: REG_BINARY, Length: 80, Data: C6 94 48 3F AA F7 77 2D A7 C2 2B 6D ED 30 A5 95
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed,SUCCESS,Type: REG_BINARY, Length: 80, Data: AC A6 1A E0 75 9C C5 CF 11 8F 94 9F 49 F6 DE DB
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed,SUCCESS,Type: REG_BINARY, Length: 80, Data: 2A D3 3C EB FD 54 46 AD C1 DD B5 19 0E F5 77 D4
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed,SUCCESS,Type: REG_BINARY, Length: 80, Data: 48 E3 63 EE 9C 6C F0 CC B0 09 F1 0B E0 D1 33 94
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed,SUCCESS,Type: REG_BINARY, Length: 80, Data: 5E FA 48 5A D4 32 F7 25 CC C3 AD 03 ED 07 EC 4F

"Setting for the shell default.."

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData,SUCCESS,Type: REG_SZ, Length: 94, Data: C:\Documents and Settings\%USER%\Application Data
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Local AppData,SUCCESS,Type: REG_SZ, Length: 124, Data: C:\Documents and Settings\%USER%\Local Settings\Application Data

"Confirming malware data..."

HKCU\Software\Microsoft\Awoveg\Byatefmi,SUCCESS,Type: REG_BINARY, Length: 160, Data: 70 82 DF 35 1E 94 43 6B 6C AC 58 05 D9 A5 DE 45

"Decoded binary config.."

HKU\..\Software\Microsoft\Awoveg\Byatefmi: 70 8C AC 58 05 D9 A5 DE 45 89 E2 55 6E 6F 97 0A 10 0D DB 1B 35 EE 85 08 BD 70 82 DF 35 1E 94 43
HKU\..\Software\Microsoft\Awoveg\Pekeoph:  08 FF 2A D3 71 AD 68 FB A0 98 D9 FF D1 9E 68 A1 B3 EC 73 F8 B9 83 8C 9E 7F B7 E6 66 02 3F 06 80 
45 EC 92 DE DF 57 DE E8 AB 3D C4 4E 65 64 AD 7F 74 E0 9C 71 AA 9A B3 92 D8 2B CF 95 D0 34 41 04 A4 94 39 93 89 A2 8E FA 56 B2 C2 03 7D CC 
97 59 FC B2 76 50 07 AE 92 B1 A1 2F 4F 23 2C 21 BF F9 31 8A 69 29 CC 37 BE 6F 73 B6 4E FD DC 9B CF 8B 5A 68 20 25 86 F4 6B 69 19 2C 0E C1 
B7 64 FE 87 35 49 4D 95 AE 42 98 25 D2 BD 86 81 E2 11 5F D5 B3 A2 3E 13 49 FB 43 1A E2 AF
     :                                  :
     << snipped.. snipped...>>
     :                                  :
A6 56 73 92 9C DF AC 74 40 7A 34 0A B3 8A 53 39 EF 85 68 DB 1D E6 D6 09 08 78 42 95 46 9E 07 E3 1F 63 52 85 56 5F 8E 52 48 EC 4D BD DB 0A 
9B A7 CB AC 73 0D A7 27 4E 6F 4A 6D 66 0E 65 A1 67 98 1F 23 FC C2 83 51 D9 02

"Stangely.. Mailer Address Book pointed to dropped ones.."
HKU\..\Software\Microsoft\WAB\WAB4\Wab File Name\: "C:\Documents and Settings\%USER%\Application Data\Microsoft\Address Book\%USER%.wab"
HKU\..\Software\Microsoft\WAB\WAB4\OlkContactRefresh: 0x00000000
HKU\..\Software\Microsoft\WAB\WAB4\OlkFolderRefresh: 0x00000000
HKU\..\Software\Microsoft\WAB\WAB4\First: 0x00000001

We have two important points one is the encoding using crypto and Mailer Address Book. Other ones are mostly covered by Ahnlab PDF report. Seeing the downloaded data in the malware code (see the next network analysis), I must admit to find a uneasy 6 detailed encryption with number of rounds & key pointing me to the AES/256 chiper used here (see crypto key in the registry above).

I can't have a luxury to play around with the encryption this time, so I search in Google to find the good analysis explaining a concept on how to decode Citadel config here-->>[HERE] (Thank's to Fabien Perigaud). Since the same condition also found in the sample binary on reversing, the rest of decoding steps is suppose to work as he posted guideline (will confirm the detail later).

Wireshark's C2 Analysis

As bot, the networking is important to trace the source of infection.
We made two sessions of capture which can be described all remote requested as per below malware used domains DNS request list:

Upon connected to the requested hosts, the Citadel bot executing HTTP/1.1 POST Requests:

One set of the POST event sent data & its reply:

Request:

..and receiving reply:

The ../pro/file.php POST request session triggering a big binary downloads:

Request details:
..and the esponse:

If we classify the HTTP response we'll see the site which is still up and infected and the one who just got cleaned up, the marked red is active and green is now-clean-site. ( In the active one we see that IP: 89.184.82.143 and 221.132.39.132 )

Where the 89.184.82.143 is actively providing config download:

The current infectious Citadel C2 "alive" IP details:

The currently domains used for the callbacks (the alive domains only:

tableindexcsv.com       89.184.82.143
keximvlc.com.vn         221.132.39.132
www2029.sakura.ne.jp    59.106.171.39
thoikhang.com.vn        203.119.8.111
k-k131.co.jp            59.106.171.39
0704271d3a758a87.com    195.22.26.231
HTTP/1.1 POST used URL pattern in this case are:
/administrator/modules/mod_menu/tmpl/content.php
/administrator/templates/system/html/file.php
/pro/file.php
And guess what? NAUNET was behind one of these domain infector..
   Domain Name: TABLEINDEXCSV.COM
   Registrar: PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM
   Whois Server: whois.PublicDomainRegistry.com
   Referral URL: http://www.PublicDomainRegistry.com
   Name Server: DNS1.NAUNET.RU
   Name Server: DNS2.NAUNET.RU
   Status: clientTransferProhibited
   Updated Date: 01-mar-2013
   Creation Date: 01-mar-2013
   Expiration Date: 01-mar-2014
↑This makes NAUNET verdict as malware site affiliation raises more! After the "RU:8080" blackhole case we've been through.

Samples

We share the sample for the research & raising detection ratio purpose.

Download sample is-->>[HERE]

#MalwareMustDie!