Saturday, February 22, 2014

Nigerian Citadel-as-a-Service Network (again)

Many Citadel botnets posted on CyberCrime-Tracker, hosted on the same IP with some interesting names..



We have seen this guy before. Here and here.

Now he has rebuilt (for now) on 91.214.203.132


WHOIS 91.214.203.132
inetnum:        91.214.200.0 - 91.214.203.255
netname:       ROXNET-COM-NET
descr:            SRL ROXNET-COM
descr:            Chisinau, Moldova
country:        MD



Dir Listing

Kingmaker?
Probably related to the Kingtools Citadel brand here



No time to take all of these screenshots so I will just post stats.


abbey 0 bots
austin 59bots
ben   35bots 19k reports
biz 3bots/105reports
blessbayo  1bot
chido 2 bots
dammy 16bots/14546reports
dede 2bots
drsmart 19bots
easy 12bots/2685reports
favour 24bots
forever 14bots
ideal 27bots
iguy 17bots
larry-uk 14bots
moratti   62bots/13392reports
ogoguy        ?bots
steve 1bot
work 1bot
xz 1bot
TOTAL:                 310 bots



Citadel Malware from this server:
8604424548a097efaf3c95dc920a3ab4
9f6795012bd8016efefca7a0b9fdb8db
36a8b8f51f1316dcbf5c66147d149dfc
96a8cb79bb8949d1d93ee706727f7fa4
2fdb148e33d21407f6a574277471d3d8
625e8b7a96cb8a1f7f59b345a3eb80d7
98bcbfff632cb5e2024494a08712e864


This junk is all offline now.

But I'm sure we'll see him again..

No comments:

Post a Comment