Wednesday, February 12, 2014

2x Citadel C&C + new find

Found 2x Citadel C&C on CyberCrime Tracker.
81.236.49.249 - www.lbmedical.se/media/system/css/cp.php?m=login
93.125.99.9     - gaskotel.by/templates/system/css/cp.php?m=login

Usual Citadel panels and bots, however this time I find another C&C in the log files. Seems that a PC was infected with two different Citadel bots and one of them grabbed the POST traffic to the gate.php of another C&C. This 'double infection' is something that happens, but this particular one was kind of interesting.

This new found server: taking.no-ip.biz resolves to a network in Nigeria. More on this development later.

Login:
(Gaskotel.by)
Summary


Options:






(lbmedical.se)
Summary:



Found another Citadel in the logs





Lets have a look:

Yep, it looks like Citadel.

Login:


Interesting note on the index.


We recently survived a server shutdown due to high load on our servers. We have now relocated our servers to keep providing the best City service. Please send your username and link to kingtools.inc@live.com to setup your new info. 
Are you sure it was due to high load? It couldn't have been someone that maybe deleted your panels, dropped your databases and shut the servers down?


Found malware sample. 

main_doc.zip > main_doc.exe
FUD.
https://malwr.com/analysis/ODcwY2FlYmZiNmNjNDY3NGIzMGRmZDJkMDRjNjlhNmU/



No comments:

Post a Comment