Friday 14 June 2013

Citadel lawsuit and explanation of John Doe 25

I was browsing the Zeus tracker in may, and a particular botnet got my attention.https://zeustracker.abuse.ch/monitor.php?host=angelescitypattaya.com
This Citadel botnet was targeting my country (France) and was hosted in... France.
So i gived a fuck.

C&C Login:

Files:

Report folder:
I've do the count and there is a total of 1142 folders.

Some screenshots found inside these folders, Mobile free:

BNP Parisbas:

Credit Agricole:

 Société générale:

LCL:

Crédit mutuel:

And when screenshots can't do the trick, hackers use video module, banque postale:

Someone administrating a POS (video grabbed form Citadel botnet):

Mairie de Neuilly compromised:
I've took care to transmit this botnet to banks and CERTs, few hours later it was shutdown.
But what's can we learn from this attack ?

Drop/Update:
angelescitypattaya.com/mimosa/file.php|file=mimosa.exe
angelescitypattaya.com/mimosa/welcome.php
angelescitypattaya.com/mimosa/file.php
angelescitypattaya.com/mimosa/file.php|file=config.dll
malkmalk.com/mimosa/file.php|file=config.dll
• dns: 1 ›› ip: 91.236.254.207 - adresse: ANGELESCITYPATTAYA.COM

• dns: 1 ›› ip: 82.165.37.26 - adresse: MALKMALK.COM
82.165.37.26:
ALLBE777.COM
CHECKIT-ONLINE-2.NET
DATINGSCAMMERSLIST.INFO
FNEU.NET
FOTOSBASES.INFO
FURCHALKAEPTI.NET
GAMEMARI.NET
GBAH.NET
GBVP.NET
GLAZSYSTEM.COM
GLAZSYSTEM.NET
GOOG-CHECK.NET
IBTL.NET
IIIFADKFJHABKLDFALK.NET
ILOVEBOSTON1974.COM
MALKMALK.COM
MGAB.NET
MIMTALK.COM
NEWSMETA.NET
PEUHIUYCA.COM
REEPTA.COM
SEOWINDOW.NET
SOMEONEINHAPPENS.COM
TUTUBEST.NET
TZFRM.COM
UNIKOMPOK.NET
VMHOSTINGBOXX.ORG
WEBANALYSES.COM
WEBSAMPLETODAY.COM
WIDELID.COM
ZIROCITY.COM
ZSBIZ.NET

Banks/sites targeted:
*.credit-agricole.fr
*societegenerale.fr
*secure.lcl.fr
voscomptesenligne.labanquepostale.fr
*bnpparibas.net
*mobile.free.fr
*banque-accord.fr
*creditmutuel.fr
*facebook.com

A list of antivirus sites and various help forums hijacked:
http://pastebin.com/ZFGb7wQG

After the shutdown the hacker behind have do another server this time wih the Botnet ID: caticlan
https://zeustracker.abuse.ch/monitor.php?host=rivascloviso.net
383 Folders (the server suffered of several shutdown)

I've asked a sample to Roman (abuse.ch) but unfortunately he got nothing for this domain.
Finaly a guys of a French CERT (you know who you are) shared me a MD5 of a sample.

Now, what the trouble with 'John Doe 25' ?
Microsoft Released later a lawsuit document against these guys, the botnet ID 'mimosa' and the Citadel key 'C1F20D2340B519056A7D89B7DF4B0FFF' who was targeting France match:

http://botnetlegalnotice.com/citadel/files/Summons_Does_1_82.pdf

 http://botnetlegalnotice.com/citadel/files/Compl_App_C.pdf

But no trace of 'caticlan' on the document.
That weird because they use exact same key and stuff:
Microsoft probably missed them.

angelescitypattaya.com was later sinkholed (Microsoft worked really hard on sinkholes, over 4k domains)
And about the login key 'C1F20D2340B519056A7D89B7DF4B0FFF'
This one is from a builder on a VPS, people pay access to the VPS and can build bots.
And this is also why we see botnets with no relations doing different things but all coming from the same builder.

For example we see this login key on 'test' botnet run by casual people:
Actors profile don't coincide with the Citadel key.

Citadel 1.3.5.1 Builder of John Doe 25 (C1F20D2340B519056A7D89B7DF4B0FFF).


Now having a look on the guys behind John Doe 25, who made all these builds:
 ladies and gentlemen... Citab.

Example of one of his French client 'CC-Dealer':
 Screenshot:
You can compare the builder infos badly blurred by this guys with my builder screenshot and it's the same.

Now let's have a look on other french guys who do Citadel service.
There is not a lot of people in France who do Citadel service but here is one of them i found interesting:
A guys who have the nick 'Dahou'

Demo of a Webinject on Crédit Agricole:

Work in progress:

Citadel service on another forum 'Hax0r':

I've a lot of information regarding others John Doe but i will avoid to disclose everything, and leave you on this fun image:

Oh and of couse, the guys behind this fail use the builder of Citab ;)

I've hesitate a long time before publishing this, finally i thought it would be interesting.

11 comments:

  1. It's amazing how stupid some of these carders are... I doubt he will be about much longer unless he learns how to protect his stuff better than other people protect there's... Good work Xylitol :)

    ReplyDelete
  2. Here you can find my license key : http://trojanforge.com/showthread.php?t=3803

    - Dahou

    ReplyDelete
    Replies
    1. Appear to be F5F4D5EBD5855E904AB8DB757D320604

      Delete
  3. Good work ! where i could download in last image ?

    ReplyDelete
    Replies
    1. http://www.kernelmode.info/forum/viewtopic.php?f=16&t=1465&start=40#p19617

      Delete
  4. So what is it with these keys that were released in the PDF, are these ones use for the actual panel?

    ReplyDelete
  5. Good work, we need more reading. :P

    ReplyDelete
  6. Nice job dude, continu comme ca :)

    ReplyDelete
  7. p.s: ag3nt47 a copié ton article sur son blog :) lol

    ReplyDelete
  8. You feel unreachable, don't you?

    ReplyDelete
    Replies
    1. i'm not unreachable and there is many way to contact me.

      Delete