The Citadel and Gameover Campaigns of 5CB682C10440B2EBAF9F28C1FE438468

By: Dennis Schwarz -

As the infosec community waits for the researchers involved to present their Zeus Gameover take down spoils at the next big conference; ASERT wanted to profile a threat actor that uses both Citadel, “a particularly sophisticated and destructive botnet”, and Gameover, “one of the most sophisticated computer viruses in operation today”, to steal banking credentials.

Citadel Campaign

When a threat actor decides that they would like to start a Citadel campaign they: buy the builder software, build the malware, distribute it to the wild, and then, unfortunately, usually profit. A “login key” in Citadel parlance identifies a specific copy of the builder. This key is also copied into the generated binaries so a link between malware builder and malware is formed. Login keys are supposed to be unique, but due to builders being leaked to the public, some aren’t. For all intents and purposes though, malware researchers use login keys to distinguish between distinct Citadel campaigns.

On October 29, 2013, security researcher Xylitol tweeted that login key 5CB682C10440B2EBAF9F28C1FE438468 was not associated with any of the defendants in Microsoft’s Citadel botnet lawsuit:

tweet

ASERT has the following command and control (C2) URLs linked with that campaign. Most of these were hosted in the 46.30.41.0/24 netblock—owned by EuroByte:

MD5 Command and Control URL
280ffd0653d150906a65cd513fcafc27 http://46.30.41.118/QHasdHJsadbnMQWe/file.php
02968192220a94996ac20ae78f8714a2 http://46.30.41.217/street/file.php
f1c8cc93d4e0aabd4713621fe271abc8 http://46.30.41.23/AshjkyuiHKJLuhjka/file.php
80ec7b373282bbaaca52851a46dfcf0b http://46.30.41.51/WBHJSAKJghasjkdJHAGSDAu8/file.php
8c8c69ea9c84c68743368cc66c0962f3 http://46.30.41.98/werqfGADSHAJWe/file.php
8d484829fbbfff9aacf94f7d89949ee7 http://46.30.43.93/WhjyyuqwvbnqwjhERW/file.php
6646b55acb84ad05f57247e7aaa51b86 http://delprizmanet.com/hjkl123678qwe12lkj012/file.php
9c18247e6394f3d07ce9fcc43eb27a35 http://sdspropro.co.ua/1123asdASdqeqwoijlkj/file.php
6646b55acb84ad05f57247e7aaa51b86 http://sdspropro.co.ua/rrrguudness/file.php

 

Using archived copies of the campaign’s configuration files from KernelMode.info and ZeuS Tracker it can be seen that the threat actor was using 28 webinjects to target 14 financial institutions in the Netherlands and Germany:

set_url: *abnamro.nl/nl/ideal/identification.do*
set_url: *abnamro.nl/nl/logon/identification*html*
set_url: *accessonline.abnamro.com/fss/open/welcome.do*
set_url: *banking.berliner-bank.de/trxm/bb*
set_url: *banking.postbank.de/rai/login*
set_url: *icscards.nl/nlic/portal/ics/login*
set_url: *ideal.ing.nl/internetbankieren/SesamLoginServlet*
set_url: *ideal.snsreaal.nl/secure/sns/Pages/Payment*
set_url: *ideal.snsreaal.nl/secure/srb/Pages/Payment*
set_url: *meine.norisbank.de/trxm/noris*
set_url: *mijn*.ing.nl/internetbankieren/SesamLoginServlet*
set_url: *regiobank.nl/internetbankieren/homepage/secure/homepage/homepage.html
set_url: *regiobank.nl/internetbankieren/secure/login.html
set_url: *regiobank.nl/internetbankieren/secure/login.html*action_prepareStepTwo=Inloggen
set_url: *regiobank.nl/internetbankieren/secure/logout/logoutConfirm.html
set_url: *snsbank.nl/mijnsns/bankieren/secure/betalen/overschrijvenbinnenland.html
set_url: *snsbank.nl/mijnsns/bankieren/secure/verzendlijst/verzendlijst.html*
set_url: *snsbank.nl/mijnsns/homepage/secure/homepage/homepage.html
set_url: *snsbank.nl/mijnsns/secure/login.html
set_url: *snsbank.nl/mijnsns/secure/login.html*action_prepareStepTwo=Inloggen
set_url: *snsbank.nl/mijnsns/secure/logout/logoutConfirm.html
set_url: http://www.rabobank.nl/bedrijven/uitgelogd/*
set_url: http://www.rabobank.nl/particulieren/uitgelogd*
set_url: https*abnamro.nl*
set_url: https*de*portal/portal*
set_url: https*paypal*
set_url: https://bankieren.rabobank.nl/klanten*
set_url: https://betalen.rabobank.nl/ideal-betaling*

 

As an example and reference for later, here are a few snippets of one of the webinjects:

webinject1

Per ZeuS Tracker and VirusTotal passive DNS data, it seems as if this particular campaign started fizzling out around the end of 2013.

Zeus Gameover Campaign

As noted by security researcher Brian Krebs, the “curators of Gameover also have reportedly loaned out sections of their botnet to vetted third-parties who have used them for a variety of purposes.” Analyzing webinject data from the global configuration file that was being distributed on the peer-to-peer network shortly before its takedown on June 2, 2014; it looks as if the threat actor behind Citadel login key 5CB682C10440B2EBAF9F28C1FE438468 had joined the ranks of Gameover’s coveted third party. Checking historical versions of the config show that this collaboration goes back to at least January 2014.

In the analyzed configuration, there was 1324 total web injects targeting many financial institutions. 12 of these were associated with the profiled actor and will be focused on here.  First, the banking credentials extracted by this group of injects were being exfiltrated to IP address 46.30.41.23. This IP had previously hosted a C2 panel of the above Citadel campaign. Second, there were eight financial institutions targeted; seven of which were a subset of the previous campaign: 

match: ^https.*?de.*?portal/portal.*?
match: ^https://.*?regiobank.nl/internetbankieren/secure/login.html
match: ^https://.*?regiobank.nl/internetbankieren/homepage/secure/homepage/homepage.html
match: ^https://.*?bankieren.rabobank.nl/klanten.*?
match: ^https://.*?meine.deutsche-bank.de/trxm/db.*?
match: ^https://.*?meine.norisbank.de/trxm/noris.*?
match: ^https://.*?banking.berliner-bank.de/trxm/bb.*?
match: ^https://.*?banking.postbank.de/rai/login.*?
match: ^https://.*?snsbank.nl/mijnsns/secure/login.html
match: ^https://.*?snsbank.nl/mijnsns/homepage/secure/homepage/homepage.html
match: ^https://.*?snsbank.nl/mijnsns/bankieren/secure/betalen/overschrijvenbinnenland.html
match: ^https://.*?snsbank.nl/mijnsns/bankieren/secure/verzendlijst/verzendlijst.html.*?

 

Finally, the coding style, function/variable naming, and formatting of the webinjects themselves were akin to the above and looked to have been retrofitted from Citadel to work with Gameover:

webinject2

The drop site itself is a Ruby on Rails application that logs and displays the data sent from infected hosts:

bots

 

Each entry can be formatted a bit better by clicking “Show”:

bot_detail

Some of the logging text seen in these screenshots—for example: “Wait tan from holder”—can be correlated back to the earlier snippets of the webinjects.

The initial entries in the list are dated from around March and June of 2012, but these entries may be old or in error as there is a jump to December 2013 and then consistent logging from there. At the time of this writing there were approximately 1089 entries.

In addition, up to five Jabber IDs can be configured in the application and then messaged on receipt of freshly stolen credentials:

jabber

At the time of writing, the configured Jabber IDs were:

  • bro2@jabbim.cz
  • airhan@jabbim.cz
  • fapache@jabber.me

But, there wasn’t much open source intelligence on these.

Conclusion

Pondering on the data available…this threat actor ran a fairly targeted Citadel campaign focusing on a small set of banks in the Netherlands and Germany. Based on ZeuS Tracker data, most of the Citadel C2s became active after the start of Microsoft’s lawsuit on June 5, 2013, so this likely explains the exclusion of 5CB682C10440B2EBAF9F28C1FE438468 from the legal notices.

The Citadel campaign looks like it closed up shop at the end of 2013. In December 2013, logging on the out-of-band Gameover drop site started in earnest, so this might be when the threat actor moved to stealing banking credentials via Gameover.

So far, it seems as if this threat actor has escaped the clutches of the great Citadel take-down and, since the drop site is still receiving stolen credentials, has evaded the Zeus Gameover take-down as well. In the spirit of “see something, say something” and with the recency of the legal action, ASERT has provided the data available to our law enforcement contacts.

Comments are closed