It is located in the domain zaebal11.uni.me hosted on an IP of Panama.
The infection vector that drops the trojan is:
hXXp://zaebal11.uni.me/loads/
It downloads the malicious binary:
hXXp://zaebal11.uni.me/loads/cita.exe
Binary size cita.exe: 271622
MD5: 6b7a7415276014b9a9e6350724f4cae7
This malware infects the user with the Citadel Trojan which tries to connect against the fraudulent domain netreverseram.ru that is currently idle.
Access to the statistical panel of "Anonymous exploits kit" is via URL address:
hXXp://zaebal11.uni.me /loads/statistics/login.php
Showing the following screen:
Once inside the panel it can see the tracking information of infected users, the victim's home country, operating system version, browser version etc.
At the time of analysis this kit was in a very initial state without any infected user yet. There are only traces of the authors of KIT from IP of Netherlands.
The file structure of the KIT is:
As remarkable new code of all files that make up the kit have been encrypted in Base64
This KIT takes advantage of vulnerabilities discovered for Java and PDF to infect the user with configured exploits in the kit:
Exploits are also encrypted so they couldn’t be reused by other criminal groups, and certainly when criminals finish adapting the kit will have the latest vulnerabilities zero-day discovered for Java
In fact in the same fraudulent domain is hosted the famous Control panel Multilocker Trojan or Trojan Police that uses Java exploits to spread
As showed in the following screens:
No hay comentarios:
Publicar un comentario
Nota: solo los miembros de este blog pueden publicar comentarios.