This Citadel botnet was targeting my country (France) and was hosted in... France.
So i gived a fuck.
Some screenshots found inside these folders, Mobile free:
And when screenshots can't do the trick, hackers use video module, banque postale:
Someone administrating a POS (video grabbed form Citadel botnet):
Mairie de Neuilly compromised:
But what's can we learn from this attack ?
• dns: 1 ›› ip: 188.8.131.52 - adresse: ANGELESCITYPATTAYA.COM
• dns: 1 ›› ip: 184.108.40.206 - adresse: MALKMALK.COM
A list of antivirus sites and various help forums hijacked:
After the shutdown the hacker behind have do another server this time wih the Botnet ID: caticlan
I've asked a sample to Roman (abuse.ch) but unfortunately he got nothing for this domain.
Finaly a guys of a French CERT (you know who you are) shared me a MD5 of a sample.
Now, what the trouble with 'John Doe 25' ?
Microsoft Released later a lawsuit document against these guys, the botnet ID 'mimosa' and the Citadel key 'C1F20D2340B519056A7D89B7DF4B0FFF' who was targeting France match:
But no trace of 'caticlan' on the document.
That weird because they use exact same key and stuff:
angelescitypattaya.com was later sinkholed (Microsoft worked really hard on sinkholes, over 4k domains)
And about the login key 'C1F20D2340B519056A7D89B7DF4B0FFF'
This one is from a builder on a VPS, people pay access to the VPS and can build bots.
And this is also why we see botnets with no relations doing different things but all coming from the same builder.
For example we see this login key on 'test' botnet run by casual people:
Now having a look on the guys behind John Doe 25, who made all these builds:
Example of one of his French client 'CC-Dealer':
Now let's have a look on other french guys who do Citadel service.
There is not a lot of people in France who do Citadel service but here is one of them i found interesting:
Demo of a Webinject on Crédit Agricole:
Work in progress:
Citadel service on another forum 'Hax0r':
I've a lot of information regarding others John Doe but i will avoid to disclose everything, and leave you on this fun image:
Oh and of couse, the guys behind this fail use the builder of Citab ;)
I've hesitate a long time before publishing this, finally i thought it would be interesting.