Saturday, February 22, 2014

Nigerian Citadel-as-a-Service Network (again)

Many Citadel botnets posted on CyberCrime-Tracker, hosted on the same IP with some interesting names..



We have seen this guy before. Here and here.

Now he has rebuilt (for now) on 91.214.203.132


WHOIS 91.214.203.132
inetnum:        91.214.200.0 - 91.214.203.255
netname:       ROXNET-COM-NET
descr:            SRL ROXNET-COM
descr:            Chisinau, Moldova
country:        MD



Dir Listing

Kingmaker?
Probably related to the Kingtools Citadel brand here



No time to take all of these screenshots so I will just post stats.


abbey 0 bots
austin 59bots
ben   35bots 19k reports
biz 3bots/105reports
blessbayo  1bot
chido 2 bots
dammy 16bots/14546reports
dede 2bots
drsmart 19bots
easy 12bots/2685reports
favour 24bots
forever 14bots
ideal 27bots
iguy 17bots
larry-uk 14bots
moratti   62bots/13392reports
ogoguy        ?bots
steve 1bot
work 1bot
xz 1bot
TOTAL:                 310 bots



Citadel Malware from this server:
8604424548a097efaf3c95dc920a3ab4
9f6795012bd8016efefca7a0b9fdb8db
36a8b8f51f1316dcbf5c66147d149dfc
96a8cb79bb8949d1d93ee706727f7fa4
2fdb148e33d21407f6a574277471d3d8
625e8b7a96cb8a1f7f59b345a3eb80d7
98bcbfff632cb5e2024494a08712e864


This junk is all offline now.

But I'm sure we'll see him again..

Wednesday, February 12, 2014

Kingtools - Nigerian Rebranded Citadel

KingTools Spyware System is an attempt to rebrand Citadel 1.3.5.1.

The Citadel logo is changed to the Kingtools logo.
This is the only noticeable change that is different between the two systems.

The system discussed here was hosted on the following IPs:
10-Feb-2014taking.no-ip.biz  = 41.71.217.19  (Lagos, Nigeria) 
11-Feb-2014taking.no-ip.biz. = 41.138.186.179 (Lagos, Nigeria)

This particular C&C was discovered earlier this week in the log files of another Citadel server I was researching. You can read that post here.


Citadel log, referencing the typical URL structure of an HTTP botnet.
Looks like a Citadel / ZeuS:





It had an interesting message on the index.


And there was a Citadel panel:
Login:







The KingTools Citadel panel:


Pretty boring. It looks just like Cit 1.3.5.1
I cant find any other differences besides the logo. 

Software versions:
Operation system: Windows NT 6.1 build 7601 (Windows 7 Home Basic Edition Service Pack 1), i586
Control panel: 1.3.5.1
PHP: 5.4.19, apache2handler
Zend engine: 2.4.0
MySQL server: 5.5.32
MySQL client: mysqlnd 5.0.10 - 20111026 - $Id: e707c415db32080b3752b232487a435ee0372157 $

We can see from the options page of the panel that the server is currently installed on a Windows 7 Home Basic Edition PC. This is most likely just a temporary setup while he shifts things around and tries to retain 'customers'. 

These Nigerian spammers and scammers are clearly evolving. This looks like a new trend for them, different from the Advance Fee Fraud (419 scams) they usually attempt. By utilizing Citadel, they are now able to perform much more sinister deeds than just sending scam email. 

Unfortunately for them I enjoy taking this garbage down in my spare time.

Let me know if you see more of this KingTools Citadel.

Thank you to BK for intel. 

2x Citadel C&C + new find

Found 2x Citadel C&C on CyberCrime Tracker.
81.236.49.249 - www.lbmedical.se/media/system/css/cp.php?m=login
93.125.99.9     - gaskotel.by/templates/system/css/cp.php?m=login

Usual Citadel panels and bots, however this time I find another C&C in the log files. Seems that a PC was infected with two different Citadel bots and one of them grabbed the POST traffic to the gate.php of another C&C. This 'double infection' is something that happens, but this particular one was kind of interesting.

This new found server: taking.no-ip.biz resolves to a network in Nigeria. More on this development later.

Login:
(Gaskotel.by)
Summary


Options:






(lbmedical.se)
Summary:



Found another Citadel in the logs





Lets have a look:

Yep, it looks like Citadel.

Login:


Interesting note on the index.


We recently survived a server shutdown due to high load on our servers. We have now relocated our servers to keep providing the best City service. Please send your username and link to kingtools.inc@live.com to setup your new info. 
Are you sure it was due to high load? It couldn't have been someone that maybe deleted your panels, dropped your databases and shut the servers down?


Found malware sample. 

main_doc.zip > main_doc.exe
FUD.
https://malwr.com/analysis/ODcwY2FlYmZiNmNjNDY3NGIzMGRmZDJkMDRjNjlhNmU/



More Nigerian Citadel-as-a-Service

Recently, I discovered a large group of Citadel botnets that seem to be administrated by the same person (or people). This claim is based on, among other things, the fact that the servers I have been following have very similar configurations. This is not a coincidence.

Furthermore, from the evidence gathered it appears that the admin is offering his services by providing hosting and configuration of Citadel brand botnets (all are the leaked 1.3.5.1 version).

Log files on the servers indicate the actor is located in Nigeria and many of the 'customers' using the panels are Nigerians as well.

This discovery started out as usual research. 'ZeuS Tracker' posted the server and I had a look at it.


The first group of C&Cs I will discuss were located on this network:
inetnum:        87.236.215.0 - 87.236.215.255
netname:       OneGbits
descr:           1 Gbits Com

First Citadel control server:
https://zeustracker.abuse.ch/monitor.php?host=87.236.215.88
87.236.215.88

'USA' Summary:
187 bots


OS Stats:


Running Script:
hxxp://cm8899.com/twe/download/black/winsys.exe


Script was downloading from cm8899.com.

Malwr.com analysis: Winsys.exe

This server had open dir listings and some other stuff.


More malware samples:

Friendly looking Joomla brute:




Sample of log on 87.236.215.88:
41.190.3.225 - - [03/Feb/2014:08:24:09 +0000] "GET /service/usa/server/install/index.php HTTP/1.1" 200 3686
41.190.3.225 - - [03/Feb/2014:08:28:56 +0000] "GET /service/usa/server/cp.php HTTP/1.1" 302 -
41.190.3.225 - - [03/Feb/2014:08:29:05 +0000] "GET /service/usa/server/cp.php?m=login HTTP/1.1" 200 1470
41.190.3.225 - - [03/Feb/2014:08:29:15 +0000] "GET /service/usa/server/cp.php?m=home HTTP/1.1" 200 8294
41.190.3.110 - - [03/Feb/2014:21:02:08 +0000] "GET /service/usa/server/cp.php?m=login HTTP/1.1" 200 1470
41.190.3.110 - - [03/Feb/2014:21:02:26 +0000] "GET /service/usa/server/cp.php?m=home HTTP/1.1" 200 12052

The admin and control panel users are operating from a network located in Nigeria. 



Down the Rabbit Hole

I got curious and started looking around on the remainder of the 87.236.215.xx network.

Found plenty more naughty control servers.

Each directory listed is the unique name of the botnet and in this case the encryption key for that particular botnet.

All of them were installed and logged in from that same 41.190.x.x network in Nigeria. 
Nice. 

 9x Citadel botnets
 5x Citadel botnets

 6x Citadel botnets
atm?

I was thinking the 'atm' botnet would be more interesting. Not ATM machines. 


Cute PayPal phishing, targeting Germans.




Summary:
What started out as investigating one control server turned into 20 different Citadel botnets. This has shed a bit of light on the current current cyber crime trends occurring not only in Nigeria but in the greater threat landscape. This botnet-as-a-service / crimeware-as-a-service model is already well underway and will continue grow. 


I am currently researching more of the infrastructure from this particular Administrator. 

Yes, there is much more good stuff to post. Coming soon. 

All of this garbage has been deleted from the servers mentioned. These botnets are no longer operational. 


Tuesday, February 11, 2014

Citadel Network hosted on OneGbits, NL

I discovered and dismantled quite a large network of Citadel botnets last week.
More details on this to follow. 

Hosting network:
inetnum:        5.56.133.0 - 5.56.133.255
netname:        OneGbits
descr:          1 Gbits Com
country:        NL

Statistics Summary:
7 servers
34 control panels
1086 bots total  - (you're welcome people)


The chart below details what IP had Citadel control panels installed. The name listed is the name of the botnet and its corresponding encryption key. An asterisk represents that a malware binary was found in this directory too. (Malwr.com links at the bottom of post)

5.56.133.46 - 362 bots
bomb - 1
choosen - 6
drsmart - 110
drsmart1 - 2
godwin - 120
jo - 80 *
kazeem - 4
pelumi - 8
slimmy - 6
vip - 25

5.56.133.47 - 213 bots
ben - 121
bobby - 49
dacrown - 0
forever - 23 *
macdavid - 19
prince - 1

5.56.133.44 - 299 bots
babs - 62
dammy - 28
hope - 209

5.56.133.74 - 125 bots
dayo - 3
iguy - 1
ogbos - 2
ogoguy - 2
sender - 117 *

5.56.133.71 - 6 bots
larry-uk - 6

5.56.133.72 - 66 bots
abbey - 3
crown - 9
timo - 2 *
xperiaz - 52 *

5.56.133.73 - 15 bots
blessbayo - 2
drgoody - 9
ebony - 2
hammed - 1
isiaka - 1



Screenshots 
Looking at Citadel bots though WSO shell using MySQL client.













Malware Samples:
https://malwr.com/analysis/ZTE1OGFkNTJkZDkzNDQ4Yzg5MzkzYzY5ZjE5ODUxOTU/
https://malwr.com/analysis/NGIyNWJlMWRjMjRkNGEzYWJmMjI1MzRiN2NlYjczYjY/
https://malwr.com/analysis/YzE2MmI3MTA1MTU2NGFiMzgwOGQ2ZmM2YWUyZTM2MmY/
https://malwr.com/analysis/ZjE0MzBlM2QwMDdkNDJiMzlmZTVhZmM1NjI5MjY1YzQ/
https://malwr.com/analysis/NjlmMDliOGZmZDU1NGNjYmJjMzZiMjkwN2E0NjgyMjk/

Monday, February 10, 2014

Nigerian Citadel on 5.56.133.47

Citadel - Nigerian Admin, 121 bots

inetnum:        5.56.133.0 - 5.56.133.255
netname:        OneGbits
descr:          1 Gbits Com
country:        NL

We have seen Citadel on this OneGbits network before. Hmm..


At first it seems pretty standard, nothing too interesting here.


Someone loved this botnet:
121 bots
+200k reports


Bots


Open Directory listings.
Hmm..There are more than one panel on this machine.
Not too many bots in these ones.

A malware sample.

nforever.exe
474af7ac6f494a9c5ba1dcd97c72dc6a



As you can see from the screenshots, this is the url to the panel:

hxxp://5.56.133.47/office/ben/server/cp.php?m=stats_main

I dropped a shell and had a peek at the logs - grep for what we need.

41.190.3.178 - - [07/Jan/2014:12:48:02 -0800] "GET /office/ben/server/install/ HTTP/1.1" 200 3685
41.190.3.178 - - [07/Jan/2014:12:49:05 -0800] "GET /office/ben/server/cp.php?m=login HTTP/1.1" 200 1470
41.190.3.178 - - [07/Jan/2014:12:49:16 -0800] "GET /office/ben/server/cp.php?m=home HTTP/1.1" 200 8293
41.138.185.216 - - [20/Jan/2014:23:29:39 -0800] "GET /office/ben/server/cp.php?m=reports_db&bots=ADMIN-PC_E532648A321E07F6&botnets=&ips=&countries=&q=&qstop=&urlmask=&blt=0&online=0&cs=0&grouping=0&nonames=0&rm=0&date=140121 HTTP/1.1" 200 627


We can see the installation occurred on 7-Jan-2014 and from the control panel, the first activity was 9-Jan-2014. IP address of installer and user, Lagos Nigeria.

It looks like some Yahoo boys are back at their old tricks.

I have taken this pile of junk down.


There is more to this story. Coming soon.