We received request to help in investigating latest Citadel bot agent & config dropper C2 sites exist in the internet for the evidence shutdown purpose. The investigation started and we posted some results here, overall analysis consists the sensitive information that we cannot disclose all of them, so please kindly bear with the materials posted.
(For the reference analysis of the Citadel that can be used as reference to this analysis, I recommend you to read Malware Analysis: Citadel bu AhnLab-->>[HERE])
By some reference we figured the latest citadel config dropper url contains regex:
A quick search resulted in the below infection urls:
The trojan downloader
and the config files
↑as you can see there are a Joomla! & Wordpress sites.
A regex search in URLquery will resulted into many infected sites as per below picture, you can click it to see the result.
Since the shutdown effort was prioritized in this case, we would like to share detail analysis we had in the infected file downloaded from the first url only, as per I uploaded in the Virus Total in detail as per below, in this url -->>[HERE]
Virus Total check result of the downloaded 4mar.exe showed:
Detection rates is not bad:
Quick review, snapshots & sample of the infection
The 4mar.exe is a well known malware as Citadel bot agent trojan. If the malware run in your PC it will decrypt itself then self copied & install the configuration file as per shown below:
And the inside of config file dropped in above picture looks like this:
the installation of this Citadel bot agent can be viewed with some injection of malicious processes as per below steps:
After this the registry autostart, config saved binary & the self-deletion of batch files+first dropper trojan will be done.
A lot of requests to the Remote Host (suspected C2) like:
Some snapshot registry saved configuration encrypted binary:
In the analysis section we will add more details. This quick review was written for research purpose to quick recognize the same threat spotted alive and infectious in the internet.
The self copied Citadel bot agent has polymorphic its signature into other hash since the self-decrypting process (see the reference PDF page 3), below snapshot is the comparison binary before and after decrypted:
For your comparison purpose I upload new hash generated of self-decrypted malware (maca.exe) into Virus Total too-->>[HERE]
With the result of detection below:
With the below malware detection:
Malware Analysis
During the first run in the first 18seconds the Citadel bot detected registry information as per below pastes: https://docs.google.com/file/d/0B_YSil_6KDdqWkhtYzRCUTA3WkU/edit?usp=sharing Creation folder & drops components at:
Following the below registry activities:
We have two important points one is the encoding using crypto and Mailer Address Book. Other ones are mostly covered by Ahnlab PDF report. Seeing the downloaded data in the malware code (see the next network analysis), I must admit to find a uneasy 6 detailed encryption with number of rounds & key pointing me to the AES/256 chiper used here (see crypto key in the registry above).
I can't have a luxury to play around with the encryption this time, so I search in Google to find the good analysis explaining a concept on how to decode Citadel config here-->>[HERE] (Thank's to Fabien Perigaud). Since the same condition also found in the sample binary on reversing, the rest of decoding steps is suppose to work as he posted guideline (will confirm the detail later).
Wireshark's C2 Analysis
As bot, the networking is important to trace the source of infection.
We made two sessions of capture which can be described all remote requested as per below malware used domains DNS request list:
Upon connected to the requested hosts, the Citadel bot executing HTTP/1.1 POST Requests:
One set of the POST event sent data & its reply:
Request:
..and receiving reply:
The ../pro/file.php POST request session triggering a big binary downloads:
Request details:
..and the esponse:
If we classify the HTTP response we'll see the site which is still up and infected and the one who just got cleaned up, the marked red is active and green is now-clean-site. ( In the active one we see that IP: 89.184.82.143 and 221.132.39.132 )
Where the 89.184.82.143 is actively providing config download:
The current infectious Citadel C2 "alive" IP details:
The currently domains used for the callbacks (the alive domains only:
HTTP/1.1 POST used URL pattern in this case are:
And guess what? NAUNET was behind one of these domain infector..
↑This makes NAUNET verdict as malware site affiliation raises more! After the "RU:8080" blackhole case we've been through.
Samples
We share the sample for the research & raising detection ratio purpose.
Download sample is-->>[HERE]
#MalwareMustDie!