Wednesday, 10 August 2016

Citadel (Atmos 1.01) - Builder in action

Sup guys? hope u all doin well, Its been some days i was studying Citadel Botnet (Banking Trojan).
I think i dont need to to tell much about it as is quite popular among all malware.

So i did some basic analysis on its builder. Like how it generates bin. I'll make a intense analysis on it once i gets done from my personal projects.

lets start .....

First of all Citadel doesn't have much documentation + its not been much discussed.

The very first sample of atmos (latest citadel) was first analysed here at kernelmode in july 2015

Lets check basically how builder works 

At very first it generates modules to make VNC and video of victim screen (for the tasks being done on real time)
So as our Video modules are made we can now move forward building intergate. 
Its intergate module produces 2 php files ,



as we can observe here intergate.php calls intergate_config.php , that means all configuration is saved into inter_gate.php. and all this helps in making a handshake between attacker and slave.

well lets move further making configuration 

Here we can observer some commands are being reserved for post exploitation just after infection into slave system.

*Firewall is being killed using netsh function of windows (netsh firewall set opmode disable)
*Tasklist is being grabbed 
*IP configuration is being grabbed using command ipconfig /all
*Directory AppData is being located to drop main payload after injection and persistence 
*net share command is being executed 
*And Dns filters are being made

Some functions reserved to be executed while being persistent and in stealth mode
*Keylogger is assigned to grab bank logins and other useful info 
*Video logger is also generated which has link to video grabbing
*and webinjects function is also included 

so this module ends up making a xml file which will be uploaded to server so to control all these functions.

so lets end it up making our bin :) 

And finally we'll endup making our panel and wait for infection. :) 

Anti-Forensics : 

As far as i've observed , Citadel and Zeus has same properties regarding anti-forensics. It generates a random bat file which removes traces of primary payload which is doped into victim system i.e. it deletes the he initial file which is us.exe just after execution and will send main payload generated by us.exe to AppData so to make main main payload persistent and stealth. Also it'll delete itself so to giving any chance to victim guess about the infection.

I'll discover more about it once i'll gets time to study more intensely :)    

Some imps : 

Sample MD5 : fda70db0df27b826ddf2ec8085777f68

SandBox analysis Report :

VirusTotal Reports :

Speed Links for more info :

Xilibox :



So i hope u enjoyed :) 

That was for some educational purposes :) 

thx :) if u have any query , kindly ping me on twitter

Special thanks to Suriya Praksh :) and regards to Xylit0l