Citadel Trojan masquerades as UPS Invoice download (August 23, 2013)


The Dell SonicWall Threats Research team has received reports of a new variant of the Citadel Trojan (based on Zbot). This Trojan is known to contain many features that are used to steal information from infected machines. This includes stealing banking credentials, audio capture and playback, keystroke logging and screenshot/video capture.

Infection Cycle:

The Trojan arrives in the form of an email purporting to be from UPS:

It provides fake links to a Tracking number and invoice. The links lead to the download of the Trojan executable file.

The Trojan makes the following DNS query:


The Trojan adds the following files to the filesystem:

  • %APPDATA%Afgokoqxi.exe [Detected as GAV: Zbot.BIM (Trojan)]
  • %APPDATA%Haisaamaf.elw [empty file]
  • %APPDATA%Iqevopohoqq.rib [configuration file]

The Trojan adds the following keys to the windows registry to enable startup after reboot:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun Ibosod “%APPDATA%Afgokoqxi.exe”
  • HKEY_USERSS-1-5-21-448539723-1682526488-839522115-1003SoftwareMicrosoftAzcae Okqy hex:3d,e4,f2,fa,b2,d4,e2,1c,aa,a2,78,f6,4c,2f,ee, …

The configuration file contains the C&C server URL, the name of the process to inject (in this case explorer.exe), browser User Agent strings and other information on what to do once the system has been infected:

Before deleting itself, the original malicious executable writes oqxi.exe to disk and runs it. oqxi.exe injects code [Detected as GAV: Xin1_4 (Trojan)] into explorer.exe:

It causes explorer.exe to report to a remote C&C server and download an additional malicious module:

It was observed sending the following sensitive system information encrypted to the C&C server:

Analysis of the binaries installed by the Trojan suggest an array of capabilities such as video/audio recording and playback, webinject capability and the ability to extract information from certain files. We caught the Trojan inspecting a Microsoft Outlook Sent Items.dbx file.

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Zbot.BIM (Trojan)
  • GAV: Xin1_4 (Trojan)
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.