The Citadel logo is changed to the Kingtools logo.
This is the only noticeable change that is different between the two systems.
The system discussed here was hosted on the following IPs:
10-Feb-2014taking.no-ip.biz = 220.127.116.11 (Lagos, Nigeria)
11-Feb-2014taking.no-ip.biz. = 18.104.22.168 (Lagos, Nigeria)
This particular C&C was discovered earlier this week in the log files of another Citadel server I was researching. You can read that post here.
Citadel log, referencing the typical URL structure of an HTTP botnet.
Looks like a Citadel / ZeuS:
It had an interesting message on the index.
And there was a Citadel panel:
The KingTools Citadel panel:
Pretty boring. It looks just like Cit 22.214.171.124
I cant find any other differences besides the logo.
Operation system: Windows NT 6.1 build 7601 (Windows 7 Home Basic Edition Service Pack 1), i586
Control panel: 126.96.36.199
PHP: 5.4.19, apache2handler
Zend engine: 2.4.0
MySQL server: 5.5.32
MySQL client: mysqlnd 5.0.10 - 20111026 - $Id: e707c415db32080b3752b232487a435ee0372157 $
We can see from the options page of the panel that the server is currently installed on a Windows 7 Home Basic Edition PC. This is most likely just a temporary setup while he shifts things around and tries to retain 'customers'.
These Nigerian spammers and scammers are clearly evolving. This looks like a new trend for them, different from the Advance Fee Fraud (419 scams) they usually attempt. By utilizing Citadel, they are now able to perform much more sinister deeds than just sending scam email.
Unfortunately for them I enjoy taking this garbage down in my spare time.
Let me know if you see more of this KingTools Citadel.
Thank you to BK for intel.