(For the reference analysis of the Citadel that can be used as reference to this analysis, I recommend you to read Malware Analysis: Citadel bu AhnLab-->>[HERE])
By some reference we figured the latest citadel config dropper url contains regex:
\/file.php\|file\=A quick search resulted in the below infection urls:
The trojan downloader
h00p://www.keihingroup.co.jp/libraries/joomla/access/file.php|file=4mar.exe h00p://metabor.com/analytics/file.php|file=tok.exe h00p://91.217.254.63/ara1/file.php|file=citadelbuild.exeand the config files
h00p://k-k131.co.jp/administrator/templates/system/html/file.php|file=conf.bin h00p://apenhaimcanadaupdate4.com/CiTys897yusa072assSA/file.php|file=config.dll h00p://womancasdorinosvictor.com/CiTys897yusa072assSA/file.php|file=config.bin h00p://uredasqopjerl.net/tables/file.php|file=zcfg.bin↑as you can see there are a Joomla! & Wordpress sites.
A regex search in URLquery will resulted into many infected sites as per below picture, you can click it to see the result.
Since the shutdown effort was prioritized in this case, we would like to share detail analysis we had in the infected file downloaded from the first url only, as per I uploaded in the Virus Total in detail as per below, in this url -->>[HERE]
Virus Total check result of the downloaded 4mar.exe showed:
SHA256: 97aafc6e53eaedc1ecf07c996b181fbfeec4bca88007114a961d148e6abb414f SHA1: 58283aeaa4737ccd485181ca31c067f37885905e MD5: 699e84682acdf3304fc79014e30eb11f File size: 241.5 KB ( 247296 bytes ) File name: 4mar.exe File type: Win32 EXE Tags: peexe armadillo Detection ratio: 28 / 46 Analysis date: 2013-04-08 04:49:49 UTC ( 2 hours, 16 minutes ago )Detection rates is not bad:
File ./4mar.exe with MD5 699e84682acdf3304fc79014e30eb11f --------------------------------------------------------- nProtect : Trojan.Generic.KDV.906991 McAfee : Artemis!699E84682ACD Malwarebytes : Trojan.Zbot.HEEP Symantec : WS.Reputation.1 Norman : ZBot.GSSC ESET-NOD32 : a variant of Win32/Injector.AEDR TrendMicro-HouseCall : TROJ_SPNR.0BCO13 Avast : Win32:Crypt-OZC [Trj] Kaspersky : Trojan-Spy.Win32.Zbot.jwcj BitDefender : Trojan.Generic.KDV.906991 Sophos : Mal/Generic-S Comodo : UnclassifiedMalware F-Secure : Trojan.Generic.KDV.906991 VIPRE : Trojan.Win32.Generic!BT AntiVir : TR/PSW.Zbot.1039 TrendMicro : TROJ_SPNR.0BCO13 McAfee-GW-Edition : Artemis!699E84682ACD Emsisoft : Trojan.Win32.Injector.AEDR.AMN (A) Microsoft : PWS:Win32/Zbot SUPERAntiSpyware : Trojan.Agent/Gen-Festo GData : Trojan.Generic.KDV.906991 Commtouch : W32/Trojan.LIMH-2300 AhnLab-V3 : Spyware/Win32.Zbot VBA32 : TrojanSpy.Zbot.jwcj Ikarus : Trojan-Spy.Win32.Zbot Fortinet : W32/Injector.AEDR AVG : Dropper.Generic7.COPV Panda : Trj/CI.A
Quick review, snapshots & sample of the infection
The 4mar.exe is a well known malware as Citadel bot agent trojan. If the malware run in your PC it will decrypt itself then self copied & install the configuration file as per shown below:
And the inside of config file dropped in above picture looks like this:
the installation of this Citadel bot agent can be viewed with some injection of malicious processes as per below steps:
After this the registry autostart, config saved binary & the self-deletion of batch files+first dropper trojan will be done.
A lot of requests to the Remote Host (suspected C2) like:
Some snapshot registry saved configuration encrypted binary:
In the analysis section we will add more details. This quick review was written for research purpose to quick recognize the same threat spotted alive and infectious in the internet.
The self copied Citadel bot agent has polymorphic its signature into other hash since the self-decrypting process (see the reference PDF page 3), below snapshot is the comparison binary before and after decrypted:
For your comparison purpose I upload new hash generated of self-decrypted malware (maca.exe) into Virus Total too-->>[HERE]
With the result of detection below:
SHA256: 411c56f4a8d3127139da30a1eb468af23770ab00a58a0caa6809c1b4ed56b1b1 SHA1: a42a53082a0d06475e1911dc7a49da90a4896e63 MD5: e292e07eaa5e1eadb7c08ed9a59e38bb File size: 241.5 KB ( 247296 bytes ) File name: maca.exe File type: Win32 EXE Tags: peexe armadillo Detection ratio: 14 / 46 Analysis date: 2013-04-08 05:56:26 UTC ( 1 hour, 18 minutes ago )With the below malware detection:
F-Secure : Gen:Variant.Symmi.17062 GData : Gen:Variant.Symmi.17062 VIPRE : Trojan.Win32.Generic!BT AntiVir : TR/PSW.Zbot.1039 ESET-NOD32 : a variant of Win32/Injector.AEDR MicroWorld-eScan : Gen:Variant.Symmi.17062 Avast : Win32:Crypt-OZC [Trj] Kaspersky : Trojan-Spy.Win32.Zbot.jwcj BitDefender : Gen:Variant.Symmi.17062 Malwarebytes : Trojan.Zbot.HEEP Ikarus : Trojan-Spy.Win32.Zbot AVG : Dropper.Generic7.COPV Emsisoft : Gen:Variant.Symmi.17062 (B) SUPERAntiSpyware : Trojan.Agent/Gen-Festo
Malware Analysis
During the first run in the first 18seconds the Citadel bot detected registry information as per below pastes: https://docs.google.com/file/d/0B_YSil_6KDdqWkhtYzRCUTA3WkU/edit?usp=sharing Creation folder & drops components at:
C:\Documents and Settings\%USER%\Application Data\Aqisme [Random] C:\Documents and Settings\%USER%\Application Data\Aqisme\maca.exe [Random] C:\Documents and Settings\%USER%\Application Data\Asanf [Random] C:\Documents and Settings\%USER%\Application Data\Asanf\gego.eww [Random] C:\Documents and Settings\%USER%\Application Data\Leni" [Random] C:\Documents and Settings\%USER%\Application Data\Leni\cioci.mii [Random] C:\Documents and Settings\%USER%\Application Data\Microsoft\Address Book\%USER%.wab ..Temp\tmpda63997b.bat [Random] ..\Temp\MPS1.tmp [Random]Following the below registry activities:
"Setting auto start.."
HKU\..\Microsoft\Windows\CurrentVersion\\Qywirimoy: "C:\Documents and Settings\%USER%\Application Data\Aqisme\maca.exe"
"Some crypto recorded to be set by this malware.."
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed,SUCCESS,Type: REG_BINARY, Length: 80, Data: 1F 01 A1 E2 6D 40 DD A2 F0 E5 7C B3 7C FA 8A 14
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed,SUCCESS,Type: REG_BINARY, Length: 80, Data: 93 89 C1 90 F9 F2 CE DB 72 D3 C9 79 C7 2E FA 14
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed,SUCCESS,Type: REG_BINARY, Length: 80, Data: 59 3C CE E5 81 D9 47 D3 F1 F7 4F 5E 66 10 B0 E3
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed,SUCCESS,Type: REG_BINARY, Length: 80, Data: C6 94 48 3F AA F7 77 2D A7 C2 2B 6D ED 30 A5 95
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed,SUCCESS,Type: REG_BINARY, Length: 80, Data: AC A6 1A E0 75 9C C5 CF 11 8F 94 9F 49 F6 DE DB
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed,SUCCESS,Type: REG_BINARY, Length: 80, Data: 2A D3 3C EB FD 54 46 AD C1 DD B5 19 0E F5 77 D4
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed,SUCCESS,Type: REG_BINARY, Length: 80, Data: 48 E3 63 EE 9C 6C F0 CC B0 09 F1 0B E0 D1 33 94
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed,SUCCESS,Type: REG_BINARY, Length: 80, Data: 5E FA 48 5A D4 32 F7 25 CC C3 AD 03 ED 07 EC 4F
"Setting for the shell default.."
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData,SUCCESS,Type: REG_SZ, Length: 94, Data: C:\Documents and Settings\%USER%\Application Data
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Local AppData,SUCCESS,Type: REG_SZ, Length: 124, Data: C:\Documents and Settings\%USER%\Local Settings\Application Data
"Confirming malware data..."
HKCU\Software\Microsoft\Awoveg\Byatefmi,SUCCESS,Type: REG_BINARY, Length: 160, Data: 70 82 DF 35 1E 94 43 6B 6C AC 58 05 D9 A5 DE 45
"Decoded binary config.."
HKU\..\Software\Microsoft\Awoveg\Byatefmi: 70 8C AC 58 05 D9 A5 DE 45 89 E2 55 6E 6F 97 0A 10 0D DB 1B 35 EE 85 08 BD 70 82 DF 35 1E 94 43
HKU\..\Software\Microsoft\Awoveg\Pekeoph: 08 FF 2A D3 71 AD 68 FB A0 98 D9 FF D1 9E 68 A1 B3 EC 73 F8 B9 83 8C 9E 7F B7 E6 66 02 3F 06 80
45 EC 92 DE DF 57 DE E8 AB 3D C4 4E 65 64 AD 7F 74 E0 9C 71 AA 9A B3 92 D8 2B CF 95 D0 34 41 04 A4 94 39 93 89 A2 8E FA 56 B2 C2 03 7D CC
97 59 FC B2 76 50 07 AE 92 B1 A1 2F 4F 23 2C 21 BF F9 31 8A 69 29 CC 37 BE 6F 73 B6 4E FD DC 9B CF 8B 5A 68 20 25 86 F4 6B 69 19 2C 0E C1
B7 64 FE 87 35 49 4D 95 AE 42 98 25 D2 BD 86 81 E2 11 5F D5 B3 A2 3E 13 49 FB 43 1A E2 AF
: :
<< snipped.. snipped...>>
: :
A6 56 73 92 9C DF AC 74 40 7A 34 0A B3 8A 53 39 EF 85 68 DB 1D E6 D6 09 08 78 42 95 46 9E 07 E3 1F 63 52 85 56 5F 8E 52 48 EC 4D BD DB 0A
9B A7 CB AC 73 0D A7 27 4E 6F 4A 6D 66 0E 65 A1 67 98 1F 23 FC C2 83 51 D9 02
"Stangely.. Mailer Address Book pointed to dropped ones.."
HKU\..\Software\Microsoft\WAB\WAB4\Wab File Name\: "C:\Documents and Settings\%USER%\Application Data\Microsoft\Address Book\%USER%.wab"
HKU\..\Software\Microsoft\WAB\WAB4\OlkContactRefresh: 0x00000000
HKU\..\Software\Microsoft\WAB\WAB4\OlkFolderRefresh: 0x00000000
HKU\..\Software\Microsoft\WAB\WAB4\First: 0x00000001
We have two important points one is the encoding using crypto and Mailer Address Book. Other ones are mostly covered by Ahnlab PDF report. Seeing the downloaded data in the malware code (see the next network analysis), I must admit to find a uneasy 6 detailed encryption with number of rounds & key pointing me to the AES/256 chiper used here (see crypto key in the registry above).
I can't have a luxury to play around with the encryption this time, so I search in Google to find the good analysis explaining a concept on how to decode Citadel config here-->>[HERE] (Thank's to Fabien Perigaud). Since the same condition also found in the sample binary on reversing, the rest of decoding steps is suppose to work as he posted guideline (will confirm the detail later).
Wireshark's C2 Analysis
As bot, the networking is important to trace the source of infection.
We made two sessions of capture which can be described all remote requested as per below malware used domains DNS request list:
Upon connected to the requested hosts, the Citadel bot executing HTTP/1.1 POST Requests:
One set of the POST event sent data & its reply:
Request:
..and receiving reply:
The ../pro/file.php POST request session triggering a big binary downloads:
Request details:
..and the esponse:
If we classify the HTTP response we'll see the site which is still up and infected and the one who just got cleaned up, the marked red is active and green is now-clean-site. ( In the active one we see that IP: 89.184.82.143 and 221.132.39.132 )
Where the 89.184.82.143 is actively providing config download:
The current infectious Citadel C2 "alive" IP details:
The currently domains used for the callbacks (the alive domains only:
tableindexcsv.com 89.184.82.143 keximvlc.com.vn 221.132.39.132 www2029.sakura.ne.jp 59.106.171.39 thoikhang.com.vn 203.119.8.111 k-k131.co.jp 59.106.171.39 0704271d3a758a87.com 195.22.26.231HTTP/1.1 POST used URL pattern in this case are:
/administrator/modules/mod_menu/tmpl/content.php /administrator/templates/system/html/file.php /pro/file.phpAnd guess what? NAUNET was behind one of these domain infector..
Domain Name: TABLEINDEXCSV.COM Registrar: PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM Whois Server: whois.PublicDomainRegistry.com Referral URL: http://www.PublicDomainRegistry.com Name Server: DNS1.NAUNET.RU Name Server: DNS2.NAUNET.RU Status: clientTransferProhibited Updated Date: 01-mar-2013 Creation Date: 01-mar-2013 Expiration Date: 01-mar-2014↑This makes NAUNET verdict as malware site affiliation raises more! After the "RU:8080" blackhole case we've been through.
Samples
We share the sample for the research & raising detection ratio purpose.
Download sample is-->>[HERE]
#MalwareMustDie!
