Citadel: A Binary Static Analysis Framework for Malware Research

Introduction

Citadel is a powerful binary static analysis framework specifically designed for payload analysis and malware research. It addresses the common frustration of static detection analysis by providing comprehensive tools to understand why implants are being detected. With its modern web interface, Citadel offers in-depth PE parsing, robust capability detection, and advanced similarity analysis.

Key features of Citadel include:

• Remote Analysis: An HTTP API allows analysis without copying files to VMs, preventing interference from security software like Defender.
• Comprehensive PE Parsing: Utilizes multiple parsers for thorough binary analysis, extracting critical information from Portable Executables.
• Capability Detection: Maps detected functionalities to frameworks like MITRE ATT&CK and the Malware Behavior Catalog, providing actionable intelligence.
• Similarity Analysis: Employs TLSH fuzzy hashing for efficient sample clustering, helping identify related malware families or variants.
• Modern UI: A clean and intuitive dashboard presents analysis results with various visualizations, making complex data easily digestible.

Installation

To get Citadel up and running, you will need a few prerequisites and then follow a simple installation script.

Prerequisites:

• Python 3.10+
• MongoDB
• Windows VM (required for the .NET agent)

The install.sh script automates the setup process, installing Python 3.10, Radare2, MongoDB, Citadel itself, and the TLSH database.

To install, run:

bash install.sh

After installation, run the frontend and worker components in separate panes:

uv run frontend/app.py

uv run worker.py

Examples

Citadel's modern web interface provides several dedicated sections to visualize and interact with analysis results:

• Upload: This section allows users to submit new binaries for analysis.
• Index: Provides an overview of all analyzed samples, offering a quick glance at your research data.
• Task Summary: Delivers a detailed summary of the analysis performed on a specific binary, consolidating key findings.
• CAPA: Focuses on capability detection, showing how the analyzed payload aligns with known threat frameworks like MITRE ATT&CK.
• Evasion: Presents insights into potential evasion techniques identified within the binary.
• Technical: Offers an extensive deep dive into the technical aspects of the binary, including detailed PE structure, imports, exports, and more.

Why Use Citadel?

Citadel is an invaluable tool for malware researchers, red teamers, and security analysts who need to understand the static properties of binaries. Its ability to perform remote analysis significantly streamlines workflows by avoiding common VM-related issues. By integrating comprehensive PE parsing with advanced capability and similarity analysis, Citadel provides a holistic view of malicious payloads. The intuitive modern UI ensures that even complex analysis results are presented clearly, enabling quicker insights and more effective decision-making in the fight against malware.

Links

• GitHub Repository: mez-0/citadel
• Official Blog Posts:
  • Citadel: Binary Static Analysis Framework
  • Citadel 2.0: Predicting Maliciousness
  • Using EMBER2024 to evaluate red team implants