The Citadel Troyan kit has a module that allows criminals to connect remotely using VNC client to users' computers infected with this Citadel malware
This allows criminals connected to the infected machine to make financial transactions through this way. This will make fraudulent transfers undetectable by operational control systems of banks because transfers are being made through the legitimate IP and legitimate computer of customers.
The structure of KIT VNC Manager is made up of the following files:
Script “test.php” is used to check the connectivity of the infected computer.
The script code is as follows:
It is noted as the file that opens the tunnel against the specified ports is the executable cbcs.exe (Citadel Backconnect Server), an updated version of the same application for the famous Zeus Trojan: zsbcs.exe (ZeuS Backconnect Server)
The way that initiates the connection is:
C:\>zsbcs.exe listen –cp:13319 -bp:23283
C:\> cbcs.exe listen -cp:13319 -bp:23283
Citadel Backconnect Server 220.127.116.11.
Build time: 13:12:41 07.12.2012 GMT.
Listening on IPv4 port 23283.
Listening on IPv4 port 13319.
Press Ctrl+C key to shutdown server.
Waiting for incoming connections (port of bot:23283, port of client:13319)
After opened communications port tunnel, criminals can connect remotely via VNC or execute commands against the infected user's computer to have full control of the machine and its desktop. When infected user interacts with its e-banking applications criminals can run scripts on the infected machine to modify customer transactions and operate with user credentials captured previously by the keylogger of the Citadel Troyan.
Access to the statistical panel that displays active VNC connections is via URL: hXXp://ip-serv/control.html
On this server you can see the list of computers infected with Trojan and have been used for fraudulent purposes by criminals at hXXp://18.104.22.168/control.html
This list of infected users is also stored in the server file:
[04.09.2012 15:37:48] WOLF_7875768F483EE109, p1=11968 ,p2=34851
[04.09.2012 15:38:22] PERSONAL_74DEB1E387314069, p1=18666 ,p2=38002
[04.09.2012 23:48:39] ANDRES-HP_E532648A4A3763CB, p1=19870 ,p2=28229
[04.09.2012 23:50:17] 3A0AAE55F75646A_7875768F3990DE0A, p1=14943 ,p2=36576
[04.09.2012 23:51:50] ADMIN-PC_74DEB1E3F090E324, p1=17688 ,p2=31963
[05.09.2012 17:37:08] DIAL_INT-PC_E532648A8AFF5F32, p1=15504 ,p2=35943
[05.09.2012 17:38:35] LUIS-4E3325EABE_B4DF7611605FA143, p1=11689 ,p2=29435
[06.09.2012 13:53:25] RAULSISTEMAS_4983EC5A2711C179, p1=12665 ,p2=24109
[06.09.2012 13:55:15] CARLOS_7875768F483EE109, p1=18871 ,p2=25181
[06.09.2012 13:55:49] JAVIER_B4DF7611483EE109, p1=11475 ,p2=26807
[06.09.2012 13:56:24] OMARVAZQUEZ_1CB98D876522DF69, p1=15011 ,p2=31385
[06.09.2012 13:57:45] PUESTOV_4983EC5ACB9AD960, p1=19115 ,p2=34960
[07.09.2012 15:47:07] SHXP2364_7875768F7E657C89, p1=14409 ,p2=36871
[07.09.2012 15:48:23] PERSONAL_74DEB1E387314069, p1=10806 ,p2=34226
[07.09.2012 15:48:34] PC-JAVIER_7875768FEABD3289, p1=17728 ,p2=36485
[07.09.2012 15:49:00] DIAGONALMARLIM1_4A073834B2FFEE74, p1=18676 ,p2=28923
[07.09.2012 15:50:10] ANA-MARI-THINK_74DEB1E315C0DF75, p1=19752 ,p2=37007
This list contains only users from Spain that have probably been victims of fraud in their online bank accounts.
Currently other servers have been located containing the same VNC criminal infrastructure:
hXXp://22.214.171.124/ hosted on the provider UPC Romania BUCURESTI B2B MPLS From Romania
hXXp://www.wanderbaresdeutschland.de/ hosted on the IP 126.96.36.199 belonging to provider stratoserver.net from Germany
hXXp://188.8.131.52/ hosted on the provider SANTREX-INTERNET-SERVICES from UK