Saturday, March 1, 2014

[NG] ZeuS & Citadel-as-a-Service

Same Nigerian administrator we have seen before.  Citadel 1.3.5.1 as a service. 

This time he also seems to be offering older 2.0.8.9 ZeuS. 

Why would one do such a thing? Maybe he thinks something is wrong with his copy of v2.1.0.1? Maybe he is testing something? I have no idea. I can only speculate. 


Command & Control Servers:
89.33.0.28
89.33.0.199

IPv4 Network Whois: 
inetnum: 89.33.0.0 - 89.33.3.255
netname: ICS-NETWORKS-SOLUTIONS-SRL
descr: ICS Networks Solutions SRL
descr: I.Creanga 6v
descr: Chisinau 2069
descr: Moldova MD

Each directory appears to be organized by a username. That directory contains the control panel for its unique botnet. We have seen these names before. 

Service:


Smaller server:


"Obi" wins (loses?) this round with 153 bots.
Naughty Obi ...
Citadel 1.3.5.1



Godwin:
50 bots


Bobby:



"Dayo" testing out old ZeuS

DedeNew:


More old ZeuS v2.0.8.9

blah, blah, blah...
 yada, yada, yada....

Kingmaker




Malware samples from this campaign:
nay.exe
be0fd3c79a55542364f04fe2177551c9

nforever.exe
bc994c0f79897dab5f729e9a967790bd

nobi.exe
e5110333f84c118e02e73a3384a7d125

frat.exe
1e3b19c7beb876ca7d2b14ed28098e34

hope.exe
74670eca1e61c63354b2814693986dfe

ndp.exe
fc40be9447fcac34307076bea1173fe0

nmoradeyo.exe
eefef7a2482a2e2536e0d956e3a74589

Notes

Some notes on the Nigerian Admin of this botnet as a Service.






XPERAZ 41.190.3.88



XPERAZ-PC 41.190.2.196





He has VPN software (and at least one VPS) to help him mask his location, but he forgets to turn it on sometimes. You can see he is on the same network we have seen before:

41.190.0.0
inetnum:        41.190.0.0 - 41.190.31.255
netname:        EMTS-20080523
descr:          EMTS Limited / Etisalat Nigeria
country:        NG
admin-c:        AAH2-AFRINIC
person:         Omar Bin Ashoor
nic-hdl:        OBA1-AFRINIC
address:        Everest Court,
address:        Plot 19, Zone L,
address:        Federal Government Layout,
address:        Banana Island,
address:        Ikoyi
address:        Lagos 101241
address:        Nigeria

I have seen them connect from 41.71.190.x network as well. This is VisaPhone NG, a CDMA/3G wireless internet provider. I had connected to one of their machines and see that they connect using a USB wireless network card. Mobile admins.


I have grabbed HTTP logs and grep the "Install" lines before. This shows the IP of the admin who installed these Botnets. Looks to be the same actor here. 

http://protectyournet.blogspot.com/2014/02/nigerian-citadel-on-55613347.html
http://protectyournet.blogspot.com/2014/02/more-nigerian-citadel-as-service.html


'Strings' on the malware samples here:

https://malwr.com/analysis/OGE4YTY4NDk1NmQ5NDlhNWE5MzY5YTBlMTA2NDRjYWQ/
https://malwr.com/analysis/NDVmNzFhMDJjNTRkNGY4MDk2NDZjZTAwN2M2N2JmZjk/

C:\Program Files\XPERAZ-PC\Xpera Z\MsComCtl.oca

This is looking like his build/test environment. Since this machine shows up in logs he must be testing the builds and thats why his machine shows up in the logs of the botnet.

JS Unpack has seen this string too from another campaign.
http://jsunpack.jeek.org/?report=b0e6a26a0e449cb5b56f9d13c77ec72e8c208406
91.214.203.132/service/austin/naustin.exe benign
Benign?
That botnet IP looks familiar. Oh yeah, I took it down. 


Nigerian Citadel Service Admin
Nick/name: Xperaz / Xperiaz
Location: Nigeria



No comments:

Post a Comment