Wednesday, February 12, 2014

More Nigerian Citadel-as-a-Service

Recently, I discovered a large group of Citadel botnets that seem to be administrated by the same person (or people). This claim is based on, among other things, the fact that the servers I have been following have very similar configurations. This is not a coincidence.

Furthermore, from the evidence gathered it appears that the admin is offering his services by providing hosting and configuration of Citadel brand botnets (all are the leaked 1.3.5.1 version).

Log files on the servers indicate the actor is located in Nigeria and many of the 'customers' using the panels are Nigerians as well.

This discovery started out as usual research. 'ZeuS Tracker' posted the server and I had a look at it.


The first group of C&Cs I will discuss were located on this network:
inetnum:        87.236.215.0 - 87.236.215.255
netname:       OneGbits
descr:           1 Gbits Com

First Citadel control server:
https://zeustracker.abuse.ch/monitor.php?host=87.236.215.88
87.236.215.88

'USA' Summary:
187 bots


OS Stats:


Running Script:
hxxp://cm8899.com/twe/download/black/winsys.exe


Script was downloading from cm8899.com.

Malwr.com analysis: Winsys.exe

This server had open dir listings and some other stuff.


More malware samples:

Friendly looking Joomla brute:




Sample of log on 87.236.215.88:
41.190.3.225 - - [03/Feb/2014:08:24:09 +0000] "GET /service/usa/server/install/index.php HTTP/1.1" 200 3686
41.190.3.225 - - [03/Feb/2014:08:28:56 +0000] "GET /service/usa/server/cp.php HTTP/1.1" 302 -
41.190.3.225 - - [03/Feb/2014:08:29:05 +0000] "GET /service/usa/server/cp.php?m=login HTTP/1.1" 200 1470
41.190.3.225 - - [03/Feb/2014:08:29:15 +0000] "GET /service/usa/server/cp.php?m=home HTTP/1.1" 200 8294
41.190.3.110 - - [03/Feb/2014:21:02:08 +0000] "GET /service/usa/server/cp.php?m=login HTTP/1.1" 200 1470
41.190.3.110 - - [03/Feb/2014:21:02:26 +0000] "GET /service/usa/server/cp.php?m=home HTTP/1.1" 200 12052

The admin and control panel users are operating from a network located in Nigeria. 



Down the Rabbit Hole

I got curious and started looking around on the remainder of the 87.236.215.xx network.

Found plenty more naughty control servers.

Each directory listed is the unique name of the botnet and in this case the encryption key for that particular botnet.

All of them were installed and logged in from that same 41.190.x.x network in Nigeria. 
Nice. 

 9x Citadel botnets
 5x Citadel botnets

 6x Citadel botnets
atm?

I was thinking the 'atm' botnet would be more interesting. Not ATM machines. 


Cute PayPal phishing, targeting Germans.




Summary:
What started out as investigating one control server turned into 20 different Citadel botnets. This has shed a bit of light on the current current cyber crime trends occurring not only in Nigeria but in the greater threat landscape. This botnet-as-a-service / crimeware-as-a-service model is already well underway and will continue grow. 


I am currently researching more of the infrastructure from this particular Administrator. 

Yes, there is much more good stuff to post. Coming soon. 

All of this garbage has been deleted from the servers mentioned. These botnets are no longer operational. 


No comments:

Post a Comment