Troyan Citadel BackConnect VNC Server Manager

The Citadel Troyan kit has a module that allows criminals to connect remotely using VNC client to users' computers infected with this Citadel malware

 This allows criminals connected to the infected machine to make financial transactions through this way. This will make fraudulent transfers undetectable by operational control systems of banks because transfers are being made through the legitimate IP and legitimate computer of customers.

The structure of KIT VNC Manager is made up of the following files:

Script “test.php” is used to check the connectivity of the infected computer.

hXXp://winserv_php_gate/test.php?p1=13319&p2=23283&b=AKSERVER_D9FA7E50D0F76FCB

The script code is as follows:

It is noted as the file that opens the tunnel against the specified ports is the executable cbcs.exe (Citadel Backconnect Server), an updated version of the same application for the famous Zeus Trojan: zsbcs.exe (ZeuS Backconnect Server)

The way that initiates the connection is:

C:\>zsbcs.exe listen –cp:13319 -bp:23283

C:\> cbcs.exe listen -cp:13319 -bp:23283

Citadel Backconnect Server 1.2.0.0.

Build time: 13:12:41 07.12.2012 GMT.

Listening on IPv4 port 23283.

Listening on IPv4 port 13319.

Press Ctrl+C key to shutdown server.

Waiting for incoming connections (port of bot:23283, port of client:13319)

After opened communications port tunnel, criminals can connect remotely via VNC or execute commands against the infected user's computer to have full control of the machine and its desktop. When infected user interacts with its e-banking applications criminals can run scripts on the infected machine to modify customer transactions and operate with user credentials captured previously by the keylogger of the Citadel Troyan.

Access to the statistical panel that displays active VNC connections is via URL: hXXp://ip-serv/control.html

On this server you can see the list of computers infected with Trojan and have been used for fraudulent purposes by criminals at hXXp://195.242.218.25/control.html

This list of infected users is also stored in the server file:

hXXp://195.242.218.25/log.txt

[04.09.2012 15:37:48] WOLF_7875768F483EE109, p1=11968 ,p2=34851

[04.09.2012 15:38:22] PERSONAL_74DEB1E387314069, p1=18666 ,p2=38002

[04.09.2012 23:48:39] ANDRES-HP_E532648A4A3763CB, p1=19870 ,p2=28229

[04.09.2012 23:50:17] 3A0AAE55F75646A_7875768F3990DE0A, p1=14943 ,p2=36576

[04.09.2012 23:51:50] ADMIN-PC_74DEB1E3F090E324, p1=17688 ,p2=31963

[05.09.2012 17:37:08] DIAL_INT-PC_E532648A8AFF5F32, p1=15504 ,p2=35943

[05.09.2012 17:38:35] LUIS-4E3325EABE_B4DF7611605FA143, p1=11689 ,p2=29435

[06.09.2012 13:53:25] RAULSISTEMAS_4983EC5A2711C179, p1=12665 ,p2=24109

[06.09.2012 13:55:15] CARLOS_7875768F483EE109, p1=18871 ,p2=25181

[06.09.2012 13:55:49] JAVIER_B4DF7611483EE109, p1=11475 ,p2=26807

[06.09.2012 13:56:24] OMARVAZQUEZ_1CB98D876522DF69, p1=15011 ,p2=31385

[06.09.2012 13:57:45] PUESTOV_4983EC5ACB9AD960, p1=19115 ,p2=34960

[07.09.2012 15:47:07] SHXP2364_7875768F7E657C89, p1=14409 ,p2=36871

[07.09.2012 15:48:23] PERSONAL_74DEB1E387314069, p1=10806 ,p2=34226

[07.09.2012 15:48:34] PC-JAVIER_7875768FEABD3289, p1=17728 ,p2=36485

[07.09.2012 15:49:00] DIAGONALMARLIM1_4A073834B2FFEE74, p1=18676 ,p2=28923

[07.09.2012 15:50:10] ANA-MARI-THINK_74DEB1E315C0DF75, p1=19752 ,p2=37007

This list contains only users from Spain that have probably been victims of fraud in their online bank accounts.

Currently other servers have been located containing the same VNC criminal infrastructure:

hXXp://95.77.98.137/ hosted on the provider UPC Romania BUCURESTI B2B MPLS From Romania

hXXp://www.wanderbaresdeutschland.de/ hosted on the IP 85.214.116.67 belonging  to provider stratoserver.net from Germany

hXXp://46.166.129.65/ hosted on the provider SANTREX-INTERNET-SERVICES from UK