Citadel Trojan masquerades as UPS Invoice download

August 27, 2013

The Dell SonicWall Threats Research team has received reports of a new variant of the Citadel Trojan (based on Zbot). This Trojan is known to contain many features that are used to steal information from infected machines. This includes stealing banking credentials, audio capture and playback, keystroke logging and screenshot/video capture.

Infection Cycle:

The Trojan arrives in the form of an email purporting to be from UPS:

It provides fake links to a Tracking number and invoice. The links lead to the download of the Trojan executable file.

The Trojan makes the following DNS query:


The Trojan adds the following files to the filesystem:

  • %APPDATA%Afgokoqxi.exe [Detected as GAV: Zbot.BIM (Trojan)]
  • %APPDATA%Haisaamaf.elw [empty file]
  • %APPDATA%Iqevopohoqq.rib [configuration file]

The Trojan adds the following keys to the windows registry to enable startup after reboot:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun Ibosod "%APPDATA%Afgokoqxi.exe"
  • HKEY_USERSS-1-5-21-448539723-1682526488-839522115-1003SoftwareMicrosoftAzcae Okqy hex:3d,e4,f2,fa,b2,d4,e2,1c,aa,a2,78,f6,4c,2f,ee, ...

The configuration file contains the C&C server URL, the name of the process to inject (in this case explorer.exe), browser User Agent strings and other information on what to do once the system has been infected:

Before deleting itself, the original malicious executable writes oqxi.exe to disk and runs it. oqxi.exe injects code [Detected as GAV: Xin1_4 (Trojan)] into explorer.exe:

It causes explorer.exe to report to a remote C&C server and download an additional malicious module:

It was observed sending the following sensitive system information encrypted to the C&C server:

Analysis of the binaries installed by the Trojan suggest an array of capabilities such as video/audio recording and playback, webinject capability and the ability to extract information from certain files. We caught the Trojan inspecting a Microsoft Outlook Sent Items.dbx file.

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Zbot.BIM (Trojan)
  • GAV: Xin1_4 (Trojan)