Fight Against Citadel in Japan  by You Nakatsuru

50 %
50 %
Information about Fight Against Citadel in Japan  by You Nakatsuru

Published on March 12, 2014

Author: codeblue_jp



Lately in Japan the malware Citadel has been implicated in multiple internet banking unauthorised transaction incidents.
Citadel is a type of malware much like the Zeus known as banking trojans. When the malware successfully infects the users environment it utilises special functions called Web Injects to alter the website displayed in the end users computer to steal login credentials for internet banking sites.
To handle Citadel infection incidents, it is necessary to clarify whatsettings and what servers the Citadel malware uses and communicates totherefore its essential to have an in-depth knowledge of Citadel and to conduct research on the files left by Citadel. In this presentation I will present my findings on doing detailed analysis on Citadel and introduce data transmission reconstruction and file reconstruction tools which have been created to handle Citadel incidents.

You Nakatsuru

You 'Tsuru' Nakatsuru, CISSP is a "just married" Information Security Analyst of Analysis Center at JPCERT/CC (Japan Computer Emergency Response Team Coordination Center) since April 2013.
His primary responsibilities are to analyze malware abused in highly sophisticated cyber attacks, along with R&D on advanced counter malware technologies and cutting-edge incident handling methods. He also takes an active role in capacity building for junior malware analysts.

Fight Against Citadel in Japan 2014/02/18 JPCERT/CC Analysis Center NAKATSURU You

Copyright©2014 JPCERT/CC All rights reserved.1 Agenda Background —Unauthorized Remittance in Japan Analyzing Citadel —Overview —Encryption Making of Citadel Decryptor Citadel Decryptor —Usage —Demo

Copyright©2014 JPCERT/CC All rights reserved.2 BACKGROUND

Copyright©2014 JPCERT/CC All rights reserved.3 Illegal Transfer in Japan $14million $500k $3million 2011 2012 2013 Targeting 32 Banks

Copyright©2014 JPCERT/CC All rights reserved.4 Related with Malware In most cases, passwords are retrieved and abused through defaced web pages where malware request users to authenticate

Copyright©2014 JPCERT/CC All rights reserved.5 Banking Trojan ZeuS Ice IX Citadel GameOver SpyEye Carberp etc.

Copyright©2014 JPCERT/CC All rights reserved.6 Why Citadel?

Copyright©2014 JPCERT/CC All rights reserved.7 Banking Trojan Incident Back Connect Server Web Panel Attacker User Internet Banking

Copyright©2014 JPCERT/CC All rights reserved.8 Web Injects User Internet Banking

Copyright©2014 JPCERT/CC All rights reserved.9 Web Injects Demo

Copyright©2014 JPCERT/CC All rights reserved.10 Builder & Web Panel

Copyright©2014 JPCERT/CC All rights reserved.11 Underground Market

Copyright©2014 JPCERT/CC All rights reserved.12 Our Incident Response Back Connect Server Web Panel Attacker User Internet Banking Information Sharing

Copyright©2014 JPCERT/CC All rights reserved.13 Information We Need Back Connect Server Web Panel Attacker User Internet Banking Which site is targeted Where Where How Where

Copyright©2014 JPCERT/CC All rights reserved.14 ANALYZING CITADEL

Copyright©2014 JPCERT/CC All rights reserved.15 External Information Leaked Citadel Web panel Builder Leaked ZeuS Web panel Builder ZeuS source Web panel source Builder source Binary Debug info Blogs Sophos LEXSI

Copyright©2014 JPCERT/CC All rights reserved.16 Analysis Method •Retrieving information Surface Analysis •Monitoring tools, Sandbox and debugging Runtime Analysis •Reading source code, assembly code Static Analysis

Copyright©2014 JPCERT/CC All rights reserved.17 Static Analysis Diffing with ZeuS

Copyright©2014 JPCERT/CC All rights reserved.18 Citadel Overview Sending report Current settings, etc. Web Injects

Copyright©2014 JPCERT/CC All rights reserved.19 Configuration Files •Default settings •Encryption key, URL of Dynamic Config •Encoded and hardcoded Base Config •Additional settings •HTTP Injection, etc… •Downloaded from servers Dynamic Config

Copyright©2014 JPCERT/CC All rights reserved.20 botnet "CIT" timer_config 4 9 timer_logs 3 6 timer_stats 4 8 timer_modules 1 4 timer_autoupdate 8 url_config1 "http://citadelhost/folder/file.php|file=config.dll" url_config2 "http://reserve-citadelhost/folder/file.php|file=config.dll" remove_certs 1 disable_cookies 0 encryption_key "key123" report_software 1 enable_luhn10_get 0 enable_luhn10_post 1 disable_antivirus 0 use_module_video 1 antiemulation_enable 0 disable_httpgrabber 0 use_module_ffcookie 1 Base Config Dynamic Config URL Password to generate RC4 key

Copyright©2014 JPCERT/CC All rights reserved.21 Dynamic Config url_loader "http://citadelhost/folder/file.php|file=soft.exe" url_server "http://citadelhost/folder/gate.php" file_webinjects "injects.txt" url_webinjects "http://citadelhost/folder/file.php" entry "AdvancedConfigs" "http://reserve-host1/folder/file.php|file=config.bin" "http://reserve-host2/folder/file.php|file=config.bin" end entry "WebFilters" "#**" "@**" "!http://*.com/*.jpg" end (snip) set_url GP data_before <div><strong><label for="userid">Username</la data_end data_inject <input type="text" accesskey="U" id="userid" na <DIV><STRONG><LABEL for=userid>ATM Pin</L style="WIDTH: 147px" tabIndex="2" maxLength= <DIV><STRONG><label for="password">Passwo <input type="password" accesskey="P" id="pass <input type="hidden" name="screenid" value="SI <input type="submit" value="Go" name="btnSign <input type="hidden" id="u_p" name="u_p" value </form> data_end

Copyright©2014 JPCERT/CC All rights reserved.22 Encryption

Copyright©2014 JPCERT/CC All rights reserved.23 Encrypted Data

Copyright©2014 JPCERT/CC All rights reserved.24 Encrypted Data Packet POST data (report file) Dynamic Config Additional modules File Report Backup of additional modules Registry Current settings Backup of Dynamic Config

Copyright©2014 JPCERT/CC All rights reserved.25 Encryption Method • AES encryption and XOR encoding AES+ • RC4 encryption and XOR encoding RC4+ • Encryption of RC4+ twice RC4+ * 2 • AES+ encryption using random generated key when installd Installed Data

Copyright©2014 JPCERT/CC All rights reserved.26 In Case of Dynamic Config Base Config Dynamic Config XOR AES+ UCL

Copyright©2014 JPCERT/CC All rights reserved.27 0x400 Bytes Overlay PE file PE file Install setting Installed data Before install After install XOR key ID, Install paths, AES key, StrageArray key, etc. Padding Padding

Copyright©2014 JPCERT/CC All rights reserved.28 Encryption Summary Category Data Format Encryption Packet Report Encrypted BinStrage RC4+ Dynamic Config Encrypted BinStrage AES+ Additional modules Executable RC4+ * 2 File Report file StrageArray Installed Data Backup of modules StrageArray Installed Data Registry Backup of Dynamic Config Encrypted BinStrage Installed Data

Copyright©2014 JPCERT/CC All rights reserved.29 MAKING OF CITADEL DECRYPTOR

Copyright©2014 JPCERT/CC All rights reserved.30 Our Goal Decrypt data & retrieve information for incident response

Copyright©2014 JPCERT/CC All rights reserved.31 Implementation Python PyCrypto pefile UCL

Copyright©2014 JPCERT/CC All rights reserved.32 RC4+ Decryption Get RC4 keystream RC4 Visual Decrypt

Copyright©2014 JPCERT/CC All rights reserved.33 RC4+ Implementation def rc4_plus_decrypt(login_key, base_key, buf): S1 = base_key['state'] S2 = map(ord, login_key) out = "" i = j = k = 0 for c in buf: i = (i + 1) & 0xFF j = (j + S1[i]) & 0xFF S1[i], S1[j] = S1[j], S1[i] out += chr((ord(c) ^ S1[(S1[i]+S1[j])&0xFF]) ^ S2[k%len(S2)]) k += 1 return out

Copyright©2014 JPCERT/CC All rights reserved.34 Get AES key AES Decrypt Visual Decrypt AES+ Decryption

Copyright©2014 JPCERT/CC All rights reserved.35 AES+ Implementation def unpack_aes_plus(login_key, base_key, xor_key, aes_key, data): aes = tmp = aes.decrypt(data) out = "" for i in range(len(tmp)): out += chr(ord(tmp[i]) ^ ord(xor_key[i%len(xor_key)])) return out

Copyright©2014 JPCERT/CC All rights reserved.36 Decryption Parameter Base Config RC4 key Installed Data StrageArray key Random AES key Others Salt LoginKey RC4 XOR key

Copyright©2014 JPCERT/CC All rights reserved.37 Obtaining Parameter re.compile(".*¥x56¥xBA(..)¥x00¥x00¥x52¥x68(....) ¥x50¥xE8....¥x8B¥x0D.*", re.DOTALL)

Copyright©2014 JPCERT/CC All rights reserved.38 UCL Decompress

Copyright©2014 JPCERT/CC All rights reserved.39 UCL Decompress using ctypes def _ucl_decompress(self, data): ucl = cdll.LoadLibrary(UCL) compressed = c_buffer(data) decompressed = c_buffer(DECOMPRESS_MAX_SIZE) decompressed_size = c_int() result = ucl.ucl_nrv2b_decompress_le32( pointer(compressed), c_int(len(compressed.raw)), pointer(decompressed), pointer(decompressed_size)) return decompressed.raw[:decompressed_size.value]

Copyright©2014 JPCERT/CC All rights reserved.40 CITADEL DECRYPTOR

Copyright©2014 JPCERT/CC All rights reserved.41 Environment • Citadel Decryptor is only available for 32bit environment Windows + 32bit Python • For AES decryption • Windows binary • PyCrypto • A Python module for parsing PE file format (Windows executable) • For parsing PE sections to get decryption params pefile

Copyright©2014 JPCERT/CC All rights reserved.42 Data Requirement Encrypted data Unpacked Citadel • RC4 key • XOR key for AES+ • XOR key for RC4+ (LOGINKEY) • Salt for RC4+ Installed Citadel • Installed Data • Random generated AES key • Random generated StrageArray key

Copyright©2014 JPCERT/CC All rights reserved.43 Encrypted data & unpacked module are always required > usage: [-h] [-n] [-a] [-d] [-o OUT] [-D] [-l LOGIN] [-k KEY] [-x XOR] [-s SALT] [-i INSTALLED] [-m MODE] [-v] DAT EXE error: too few arguments >

Copyright©2014 JPCERT/CC All rights reserved.44 Cheat Sheet The following options have to be specified as well as encrypted data and unpacked Citadel Category Data Option Packet Report -m2 Dynamic Config -d Additional modules -m3 -n File Report files -a -i [Installed Citadel] Backup of modules -a -i [Installed Citadel] Registry Backup of Dynamic Config -d -i [Installed Citadel]

Copyright©2014 JPCERT/CC All rights reserved.45 Demo

Copyright©2014 JPCERT/CC All rights reserved.46 Tips Convert registry data to binary • Export data using regedit & convert them to binary using the following FileInsight plugin • Unpacking • It is easy to break on APIs • WriteProcessMemory • CreateProcessW • VirtualFree / VirtualFreeEx / RtlFreeHeap • Dump executable (not after allocated) from virtual memory • including 0x400 bytes overlay

Copyright©2014 JPCERT/CC All rights reserved.47 Future Tasks We already have • ZeuS Decryptor • Ver • Ver • Ice IX Decryptor • etc. We want • Gameover (P2P ZeuS) Decryptor

Thank You! Contact Incident report

Add a comment

Related presentations

Presentación que realice en el Evento Nacional de Gobierno Abierto, realizado los ...

In this presentation we will describe our experience developing with a highly dyna...

Presentation to the LITA Forum 7th November 2014 Albuquerque, NM

Un recorrido por los cambios que nos generará el wearabletech en el futuro

Um paralelo entre as novidades & mercado em Wearable Computing e Tecnologias Assis...

Microsoft finally joins the smartwatch and fitness tracker game by introducing the...

Related pages

Fight Against Citadel in Japan by You Nakatsuru - YouTube

Want to watch this again later? Sign in to add this video to a playlist. Autoplay When autoplay is enabled, a suggested video will automatically ...
Read more

Codeblue01 : Fight Against Citadel In Japan By You Nakatsuru

Defeating Getimagesize() Checks In File Uploads; Challenge 6: Digest Authentication Reloaded; Challenge 5: Digest Authentication Attack; Basic ...
Read more

Fight Against Citadel in Japan - JPCERT

Fight Against Citadel in Japan. 2014/02/18. JPCERT/CC Analysis Center. NAKATSURU You
Read more

Fillable Online Fight Against Citadel in Japan - JPCERT ...

Japan Computer Emergency Response Team Coordination Center : Japan Computer Emergency Response Team Coordination Center DN : cJP, stTokyo, lChiyodaku ...
Read more

JPCERT/CC Blog: Banking Trojan “Citadel” Returns

Banking Trojan “Citadel ... You ‘Tsuru’ Nakatsuru from Analysis Center. It has been just about two years since I delivered a talk “Fight Against ...
Read more

Fillable Online Fight Against Citadel in Japan - JPCERT ...

Connect ODBC Installation Guide. Annual report for the year 2005. Connect ODBC Installation Guide February 2002 TM ? 2002 DataDirect Technologies. All ...
Read more

森克宏 - YouTube

Sign in now to see your channels and recommendations! Sign in. YouTube Red ; Watch Queue Queue. Watch Queue Queue. Remove all; Disconnect
Read more