Crimeware based Targeted Attacks: Citadel case, Part II

In this part II of our Citadel web log, we will take a closer look at how to amend sympathize and detect this crimeware using bones techniques and tools. Nosotros will show how to identify the infection, and extract some useful information during the analysis. In our previous web log we explored how this campaign was launched as a low volume, targeted assault. The personnel targeted were in key financial positions, and every bit such nosotros assume that financial gain was the biggest motive.

‘Citadel’ is a variant of the Zeus crimeware toolkit (aka ZBot), and was first witnessed in tardily 2011 after the leak of the ZBot v2 source code. It is capable of a number of functions including stealing data, controlling the host auto, and performing DDoS attacks. Information technology is important to sympathise the basis of how the initial infection occurs, before diving deeper into more complicated analysis.

Infection

The first thing nosotros see is that it injects lawmaking into other processes. The injected code is ultimately responsible for everything that Citadel does and some basic system monitoring reveals how this occurs:

Infection

Nosotros see how the original file spawns a new process named ‘beafy.exe‘, a randomly generated name that is dropped in the%APPDATA% folder. The new process then proceeds to inject lawmaking intoexplorer.exe and executes that injected code withCreateRemoteThread. The original file is sometimes deleted while the new procedure adds an entry to the Windows registry, allowing it to exist run every fourth dimension Windows is started.

Citadel then hooks of import APIs in order to perform its tasks. Nosotros tin can figure out which APIs are being hooked by using volatility’sapihooks tool:


vol.py -f /path/to/vmdump.vmem apihooks -p 620

And the output:

Api Hooks

We can run into that a push/ret style claw has been implemented on this API. The purpose of this claw is to intercept any data being sent from Winsock’sshipAPI, which can and then be saved and sent to the bot’s command and control (C&C) server. This could potentially contain important personally identifiable information (PII).

The hook is redirecting to lawmaking in an unknown module, so we then utilise volatility’southmalfind tool to find and dump the unknown region. Nosotros once again specifically targetexplorer.exe:


vol.py -f /path/to/vmdump.vmem malfind -p 620 -D /path/to/retention/dumps/

One of these resulting dumps is a module (DLL) file, although analysis revealed that it was obfuscated/mangled and so static assay was very limited. At this point, it is useful to extract all of the string references in these dumps using the Sysinternalsstrings tool:


strings -q -o /path/to/memory/dumps/*.dmp > /path/to/retentiveness/dumps/strings.txt

The strings referenced contain a lot of garbage at first glance. However, some interesting ones include:

        bc_remove bc_add config.bin Coded by BRIAN KREBS for personal utilise simply. I love my job & wife. SOFTWARE\Microsoft\Tuyxr
      

All of these are unique to ZBot and information technology’due south variants, with the registry key having a randomly generated proper name.  The ‘bc_add‘ and ‘bc_remove‘ strings are typical ZBot commands, although usually they are encrypted. The agreeable reference to Brian Krebs is unique to the Citadel variant in particular, and as such we can conclude that this is indeed Citadel. Nosotros could besides verify this by doing a full memory search of an infected process (ie.explorer.exe, and searching for ‘citadel’, which should reveal references to ‘citadelhost’.

By verifying that these strings practice non show upwards in any make clean processes, including a check on a cleanexplorer.exe, we can safely assume that we are proficient to create detection for this. And so using YARA, we can create a signature to automatically find the reference to the Brian Krebs string:

rule crime_win_citadel_memory_dev_ws

{

    meta:

        description =”ZBot variant – strings referenced in code injected into other processes, ie. FireFox”

        author = “Nick Griffin (Websense)”

        yaraexchange = “No distribution without author’s consent”

        appointment = “2014-04”

        filetype = “retention”

        md5 = “4d175203db0f269f9d86d2677ac859cf”

        sha1 = “4b422b48be4beaa44557c452f0920aa1ee0b16cb”

    strings:

        $bkrebs =”Coded past BRIAN KREBS for personal apply just. I love my job & wife.”

    condition:

        $bkrebs

}

Great! We now take a uncomplicated detection for Citadel.

Summary

We know that Citadel injects code into other processes, and Volatility has shown united states some evidence of the malware. We have written a simple YARA dominion to observe Citadel, but relying on a string reference is delicate, and we have yet to really dive into this crimeware to understand its true functionality.

In part III we volition look into this malware in greater depth, aiming to understand its configuration and cadre behaviour.  We shall also present a more robust method of identification.

Source: https://www.forcepoint.com/blog/x-labs/crimeware-based-targeted-attacks-citadel-case-part-ii

Check Also

Will Dogecoin Go Up In Value

Will Dogecoin Go Up In Value

On Dec. 6, 2013, Billy Markus and Jackson Palmer decided to combine their dearest of …