Citadel Command and Control Domains

Introduction

We have detected new Citadel malware activity, again coming from within large, some Dutch, organizations. These Citadel Trojans are not part of the Pobelka botnet (Dutch) that we discovered last year on September 7, 2012.
From the data we have gathered so far, we believe this new campaign is running since late November 2012.

To help out the Dutch industry, organizations and government we decided to publish (and regularly update) a list of web addresses that are associated with some of the more prevalent Citadel strains. Note that blocking the IP addresses associated with the domains on this page has only limited effect because the cybercriminals are swapping IP addresses every few days. Also note that the real command and control server is buried behind reverse proxies running on compromised computers owned by people who are likely not aware of this.

We have also noticed that the renowned anti-virus solutions deployed inside some of the affected organizations are no match for the new Citadel variants due to the stealthy nature of Citadel. The Citadel infections that we found were already active for nearly three weeks, and during that time these computers were protected by the up-to-date anti-virus solutions. Detecting malware traffic on the firewall or IDS is a good way to reveal affected workstations inside the network where anti-virus solutions are not yet detecting the threats.

Domains

Monitor the following following IP addresses and domains in the IDS or firewall on the perimeter of your network:

Address/Domain/Host	Added
trashinesscro.com	2013-03-11
khowiri.dynalias.com	2013-03-04
caravelaoroltd.com	2013-03-04
bestchoiceininvest.com	2013-03-04
guitarconcernplay.com	2013-03-04
styleproplus.com	2013-03-04
92.53.97.205	2013-02-20
93f09905a7448b1d.com	2013-02-19
wegredeen.com	2013-02-19
generalseoptimization.com	2013-02-19
merchantinhouse3.com	2013-02-19
91.243.115.83	2013-02-19
206.208.115.125	2013-02-16
107.22.60.126	2013-02-15
mousefoxeblue.pl	2013-02-15
suggestedlean.com	2013-02-15
sputtersmorele.pl	2013-02-15
billablelisten.pl	2013-02-15
boxtralsurvisv.pl	2013-02-15
ntrolingwhitel.pl	2013-02-15

If you have affected systems on your network, be aware of these facts:

All usernames and passwords are stolen from all accounts used on these systems, including local and domain administrator accounts.
If the system was used to upload content to FTP sites or edit online CMS articles, these accounts are compromised as well.
Change all passwords after removing the Citadel malware.
Online banking, including Internetbankieren, is likely affected. Check your bank accounts for suspicious or unknown transactions and notify your bank.
Do not forget to ask/notify the users if they used the affected systems for personal (banking) activity, like e.g. Facebook. These accounts or activity were stolen or manipulated as well.
If one or more of the affected systems were also allowed or used for remote working (like setting up a VPN connection) or code signing, revoke the associated certificate(s) and issue new ones. Also think about if there were any other certificates on the systems, e.g. for PGP or submitting data to the Belastingdienst or notary services.
Using one or more of the affected machines, the malware scanned your (local) network structure. Strengthen your defenses where possible.

Second Opinion

Since HitmanPro does not rely on virus signatures it is unlike other anti-virus programs. You can use it to find and remove any malware infection from the affected machines, like viruses, worms, trojans, spyware, bootkits, rootkits and zero-day malware, including Zeus, Zbot or Citadel Trojans. Instructions on how to perform FREE second opinion malware scans with HitmanPro can be found in the following document:

Command-Line Reference for Network Managers (PDF)

This documents contains example scripts on how to integrate HitmanPro into a Windows 2003, 2008 and/or LabTech managed environment.

Published: February 15, 2013. Updated: February 20, 2013 (16:50 CEST). Mark Loman.