Busting the Citadel Trojan developers

Brian Krebs recently reported about the Citadel developers getting busted by the FBI. What is most interesting is the bait that FBI used to trap them.

Citadel boasted an online tech support system for customers designed to let them file bug reports, suggest and vote on new features in upcoming malware versions, and track trouble tickets that could be worked on by the malware developers and fellow Citadel users alike. Citadel customers also could use the system to chat and compare notes with fellow users of the malware.

It was this very interactive nature of Citadel’s support infrastructure that FBI agents ultimately used to locate and identify Vartanyan, the developer of Citadel.

Analysis of China-based APT “Deputy Dog” by FireEye and Microsoft TI teams

Analysis of China-based APT “Deputy Dog” by FireEye and Microsoft TI teams

FireEye has just released an interesting report on the obfuscation techniques used by China-based APT “Deputy Dog”. The FireEye TI (Threat Intelligence) team reportedly found suspicious activity on Microsoft’s TechNet site, early last year, which appeared to have been related to the BLACKCOFEE malware, a malware supposedly employed by the same group in China.

In late 2014, FireEye Threat Intelligence and the Microsoft Threat Intelligence Center discovered a new Command-and-Control (CnC) obfuscation tactic on Microsoft’s TechNet web portal—a valuable web resource for IT professionals.

The threat group took advantage of the ability to create profiles and post in forums to post encoded C2 for use with a variant of the malware BLACKCOFFEE. This technique can make it difficult for network security professionals to determine the true location of the CnC, and allow the CnC infrastructure to remain active for a longer period of time. TechNet’s security was in no way compromised by this tactic.

Here is a representation of the technique by the FireEye team:

Screen Shot 2015-05-14 at 9.00.09 pm

This is a really smart way of fetching and using the C&C IP address, by the attacker, and detecting this communication is going to be a bit tricky and interesting, and so the adversaries will use these obfuscation techniques more often.

The FireEye team has also shared the Indicators of compromise for this, on Github, which will come in very handy to tune our detection rules.