Citadel lawsuit and explanation of John Doe 25

I was browsing the Zeus tracker in may, and a particular botnet got my attention.https://zeustracker.abuse.ch/monitor.php?host=angelescitypattaya.com
This Citadel botnet was targeting my country (France) and was hosted in... France.
So i gived a fuck.

C&C Login:

Files:

Report folder:

I've do the count and there is a total of 1142 folders.

Some screenshots found inside these folders, Mobile free:

BNP Parisbas:

Credit Agricole:

 Société générale:

LCL:

Crédit mutuel:

And when screenshots can't do the trick, hackers use video module, banque postale:

Someone administrating a POS (video grabbed form Citadel botnet):

Mairie de Neuilly compromised:

I've took care to transmit this botnet to banks and CERTs, few hours later it was shutdown.
But what's can we learn from this attack ?

Drop/Update:

angelescitypattaya.com/mimosa/file.php|file=mimosa.exe
angelescitypattaya.com/mimosa/welcome.php
angelescitypattaya.com/mimosa/file.php
angelescitypattaya.com/mimosa/file.php|file=config.dll
malkmalk.com/mimosa/file.php|file=config.dll

• dns: 1 ›› ip: 91.236.254.207 - adresse: ANGELESCITYPATTAYA.COM

• dns: 1 ›› ip: 82.165.37.26 - adresse: MALKMALK.COM
82.165.37.26:

ALLBE777.COM
CHECKIT-ONLINE-2.NET
DATINGSCAMMERSLIST.INFO
FNEU.NET
FOTOSBASES.INFO
FURCHALKAEPTI.NET
GAMEMARI.NET
GBAH.NET
GBVP.NET
GLAZSYSTEM.COM
GLAZSYSTEM.NET
GOOG-CHECK.NET
IBTL.NET
IIIFADKFJHABKLDFALK.NET
ILOVEBOSTON1974.COM
MALKMALK.COM
MGAB.NET
MIMTALK.COM
NEWSMETA.NET
PEUHIUYCA.COM
REEPTA.COM
SEOWINDOW.NET
SOMEONEINHAPPENS.COM
TUTUBEST.NET
TZFRM.COM
UNIKOMPOK.NET
VMHOSTINGBOXX.ORG
WEBANALYSES.COM
WEBSAMPLETODAY.COM
WIDELID.COM
ZIROCITY.COM
ZSBIZ.NET

Banks/sites targeted:

*.credit-agricole.fr
*societegenerale.fr
*secure.lcl.fr
voscomptesenligne.labanquepostale.fr
*bnpparibas.net
*mobile.free.fr
*banque-accord.fr
*creditmutuel.fr
*facebook.com

A list of antivirus sites and various help forums hijacked:
http://pastebin.com/ZFGb7wQG

After the shutdown the hacker behind have do another server this time wih the Botnet ID: caticlan
https://zeustracker.abuse.ch/monitor.php?host=rivascloviso.net

383 Folders (the server suffered of several shutdown)

I've asked a sample to Roman (abuse.ch) but unfortunately he got nothing for this domain.
Finaly a guys of a French CERT (you know who you are) shared me a MD5 of a sample.

Now, what the trouble with 'John Doe 25' ?
Microsoft Released later a lawsuit document against these guys, the botnet ID 'mimosa' and the Citadel key 'C1F20D2340B519056A7D89B7DF4B0FFF' who was targeting France match:

http://botnetlegalnotice.com/citadel/files/Summons_Does_1_82.pdf

 http://botnetlegalnotice.com/citadel/files/Compl_App_C.pdf

But no trace of 'caticlan' on the document.
That weird because they use exact same key and stuff:

Microsoft probably missed them.

angelescitypattaya.com was later sinkholed (Microsoft worked really hard on sinkholes, over 4k domains)
And about the login key 'C1F20D2340B519056A7D89B7DF4B0FFF'
This one is from a builder on a VPS, people pay access to the VPS and can build bots.
And this is also why we see botnets with no relations doing different things but all coming from the same builder.

For example we see this login key on 'test' botnet run by casual people:

Actors profile don't coincide with the Citadel key.

Citadel 1.3.5.1 Builder of John Doe 25 (C1F20D2340B519056A7D89B7DF4B0FFF).


Now having a look on the guys behind John Doe 25, who made all these builds:

 ladies and gentlemen... Citab.

Example of one of his French client 'CC-Dealer':

 Screenshot:

You can compare the builder infos badly blurred by this guys with my builder screenshot and it's the same.

Now let's have a look on other french guys who do Citadel service.
There is not a lot of people in France who do Citadel service but here is one of them i found interesting:

A guys who have the nick 'Dahou'

Demo of a Webinject on Crédit Agricole:

Work in progress:

Citadel service on another forum 'Hax0r':

I've a lot of information regarding others John Doe but i will avoid to disclose everything, and leave you on this fun image:

Oh and of couse, the guys behind this fail use the builder of Citab ;)

I've hesitate a long time before publishing this, finally i thought it would be interesting.

Trojan.Ransom

This trojan blocker ( MD5: b72a1ffd702f73080c7ab9ff26ba64ce, be1589b12b771ca6ba41b9e4c82ec9aa, d4a0afcc3471878014f4b64780245054 ) prevents all software execution.
To remove the Trojan (and unlock windows), infected users need to enter a valid serial number.

WebMoney: B208016071489
WebMoney: U264040669509
Phone: 988-185-37-42
Code to unlock windows: 2348

Russian text:

КОМПЬЮТЕР ЗАБЛОКИРОВАН!
Ваш компьютер заблокирован за просмотр, копирование и тиражирование
видеоматериалов, содержащих элементы порнографии, педофилии и насилия над детьми.
Для снятия блокировки Вам необходимо оплатить штраф в размере
600000 БЛ. рублей   в  WebMoney кошелек
B208016071489
 оплату штрафа можно произвести в любом платежном терминале.
В случае оплаты суммы равной штрафу либо превышающей ее на фискальном
чеке терминала будет напечатан код разблокировки. Его нужно ввести
в поле в нижней части окна и нажать кнопку "Enter". После снятия
блокировки Вы должны удалить все материалы содержащие элементы порнографии,
насилия и педофилии. Если в течение 12 часов штраф не будет оплачен, все данные
на Вашем персональном компьютере будут безвозвратно удалены, а дело
будет передано в суд для разбирательства по статье 343 ч.1 УК РБ.
В Н И М А Н И Е !
Перезагрузка или выключение компьютера приведет к незамедлительному
удалению ВСЕХ данных, включая код операционной системы и BIOS,
с невозможностью дальнейшего восстановления.

Статья 343.1. Изготовление и распространение порнографических материалов или предметов.
Изготовление либо хранение с целью распространения или рекламирования, либо распространение или
рекламирование порнографических материалов или печатных изданий, иных предметов порнографического
характера с изображением заведомо несовершеннолетнего, либо публичная демонстрация кино- или
видеофильмов порнографического содержания с таким изображением - наказываются исправительными
работами на срок до двух лет, или арестом на срок до шести месяцев, или ограничением свободы на срок
до четырех лет.

Translation (thanks @Malwageddon)

COMPUTER IS LOCKED

Your PC is locked due to activity involving viewing, copying and
distribution of video materials containing pornography, physical and sexual
abuse of children. You have to pay the fine of 600000 Belarusian rubbles to
remove the lock. Use any valid Webmoney terminals to deposit the money to
B208016071489. Unlock code will be displayed at the end of the transaction.
Enter the code at the bottom of the screen and press "Enter". Once the lock
is removed you have to delete all of the offending materials. If the fine
is not paid within 12 hours all of the data on your PC will be permanently
deleted and your case forwarded to court for investigation as per article
343 part 1 of Criminal Code of Republic of Belarus.

A T T E N T I O N !

If you attempt to reboot or shutdown the PC all the data on it will be
permanently deleted including OS code and BIOS.


Article 343.1. Production and distribution of pornographic materials of
items.

Production or possession with an intend of distribution or advertisement,
or distribution or advertisement of pornographic materials including
magazines or other items of pornographic characteristics containing images
of the minors, or public demonstration of pornographic movies of videos
containing the same images - subjected to community work term up to 2
years, or an arrest term up to 6 months, or a jail term up to 4 years.

Note for reverse engineer:

Trojan:Win32/Tobfy.M Affiliate

Came across a Tobfy sample today, things was interesting so here is a post.
I will skip the reversing part: i'm a bit bored to take 50 screenshots and go step by step about what's do the 'M' version of Tobfy. (this winlock is very primitive and relatively easy to understand)
So, let's go directly to the C&C part.

French landing when loaded (buggy IP retrieving, and geoloc):

• dns: 1 ›› ip: 91.226.212.174 - adresse: HKKPOGMPG.POLEXT-FREEHOST.RU
• dns: 1 ›› ip: 91.226.212.174 - adresse: AREKOV.COM


Login:

Registration:

News:

Statistics:

Checks:

Links/EXE (39090a097cfbe4ab766317e5f3d74b53):

Rules:

Affiliate stats:

(Ignore the 'admin' account, it's also made by me)

Affiliate Checks:

Some samples took from the server:
http://www.kernelmode.info/forum/viewtopic.php?f=16&t=2214&start=10#p19581

I'm a bit unaware about Tobfy but that the first time i see this one on affiliate system.

Carding Manager

Carding Manager is a script made by a french to store CC Details, it was at first sell for 50$

But seem sales don't work, Peax reduced the price to 20$

 Anyway that the first time i see a manager for carder, this guys deserve a post.

• dns: 1 ›› ip: 209.190.85.27 - adresse: SULU.HTML-5.ME
Login:

Dashboard:

Cards:

Edit card:

Card infos:

Orders:

Edit order:

Order Infos:

Identity:

Edit identity:

Site manager:

Edit site:

View accounts:

Edit account:

The script isn't secure at all, but the interface is cool.