Thursday, 20 September 2012

Ulocker Crimeware

Cross posted from Russian Cyber Criminal Forum

English translation @Sherb1n

Seller - xfrzx

Ulocker is EU traffic monetization software. It accepts payments through Ukash and Psc vouchers for €50 or €100.

As of today, it supports AT,CH,CY,DE,ES,FI,FR,GR,IT,NL,PL,PT,RO,SE. You are able to add and modify the number of languages.


1. Size: ~22KB uncompressed.
2. Kills MSCONFIG.exe, regedit.exe, regedit32.exe, CMD.exe, taskmgr.exe.
3. Accepts Ukash and Psc.
4. Hides Start menu and taskbar.
5. Blocks system keys.
6. Can modify text remotely.
7. Does not turn on if there's no internet connection (optional).
8. Launches on startup.
9. Disables Safe mode (XP)
10. Always on top.
11. Stays up after entry.
12. It's easy to add new languages to work with additional countries (!)

Server component:

Option 1: No panel, writes to file: date || ip || ukash || amount || country. The same for Psc. Responses are written to file.
Option 2: Simple panel, displays vouchers (ukash, psc), displays responses. Requires Php+MySql.
Responses are replies from the infected machines, not necessarily unique ones.


For the first 3 buyers: $250. 0/3.
The price does not depend on the server component.

The buyer receives:

1. Consultation at the time of purchase.
2. Minor updates for free.
3. You do your own encryption.
4. Help adding new language modules. Not creating, only adding. I'll show you how, it's very simple.
5. Don't have the builder yet (!). Free rebuilds.
6. Vouchers are not checked for validity. Checking services can be added if available.

You're prohibited from:

1. Uploading the build to public AV checkers.
2. Making this software available to others.

Violators will get banned without a refund.


Seller - xfrzx

Ulocker - софт для монетизации евро загрузок.В качестве оплаты принимает Ukash,Psc ваучеры по 50,100 евро.
На данный момент AT,CH,CY,DE,ES,FI,FR,GR,IT,NL,PL,PT,RO,SE . Вы сможете добалять и изменять количество языков.


1.Вес ~22кб без сжатия
2.Убивает MSCONFIG.exe, regedit.exe, regedt32.exe, CMD.exe, taskmgr.exe
3.Принимает Ukash,Psc.
4.Скрывает пуск и панель.
5.Блокирует системные клавиши.
6.Возможность удалённо менять текст.
7.Не включается при отключенном интернет(Опционально).
9. Отлючение Безопасного режима(хп)
10.Висит поверх всех окон.
11.После ввода не снимается.
12. Возможность быстро и удобно добавлять свои языки для работы с конкретными странами(!)

Серверная часть:

1й вариант - без панели пишет в файл дата || ip || ukash || номинал || страна .C psc аналогично.Пишет отклики в файл.
2й вариант - простенькая панель ,вывод ваучеров(ukash,psc) ,вывод откликов.Необходимо Php+MySql.
Отклик - отстук зараженной машины,не обязательно уникальный.


Первым 3 покупателям - 250$ 0/3 .
Цена не зависит от варианта серверной части.


1. Консультации при покупке.
2. Мелкие апдейты бесплатно.
3. Крипт лежит на вас.
4. Помощь в добавлении языков для работы локера. Не создании,а добавлении.На примере,очень просто.
5. Билдера пока нет(!).Ребилд бесплатно.
6. На валид ваучеры не чекаются.Если есть сервисы для чека,можно добавить.


1. Сливать билд на паблик чекеры АВ.
2. Выкладывать софт.

При нарушении в бан,без возврата средств.

Upas Rootkit

Cross posted from Russian Cyber Criminal Forum

English translation @Sherb1n

Seller - Auroras

Upas Kit


Upas is a modular http bot created for a single purpose - eliminating your headache. It's an advanced Ring3 rootkit that has something in common with SpyEye and Zeus. As a result, it's installed "silently", without triggering AV. As of today, it works on the following Windows versions: XP, Vista, 7 (Seven), Server 2003, server 2008. It's also "compatible" with all the service packs.

In its current version the rootkit can be injected into any 32-bit process. Written in C++.

By default, the kernel comes with the following modules (additional modules sold separately):

HTTP Panel

The following modules are sold separately:

USB spreader (lnk/autorun)
Form Grabber (IE, FF, Chrome)
FTP Grabber
Flooders Package - SYN/Slowloris/UDP
DNS Hook
Visit (hidden, show)
Post Spreaders

Prices, as of 6/14/2012:

Kernel $1000
Usb Spreader $200
Form Grabber $1000
Recompile with the same data $10
Recompile with different data (if your DNS is blacklisted or blocked) $50

The prices may seem a bit infated, but if you consider the conversion rate and how effective this kit is, the price is right.

Panel features:

GeoIP (Maxmind)
IP block when the gate receives a response from anything but a bot
IP block when the input data is brute-forced
Add/Remove/Manage users
Installs log
Scan2you scanner for checking files, exploits, IPs, domains, etc. through web requests.
Detailed stats using Google Chart Tools
CAPTCHA at login, to prevent password brute-forcing
Easy way to add/remove jobs with parameters
Pre-populated list of sites for grabbing, ability to modify websites grabbed by Form Grabber
Per-country commands
Simple installer
English and Russian interface

Special features:

Antis file analysis protection
Decent sized stub
Easily cryptable
Unlimited domains. If a domain is unavailable, the bot tries the next one.
Ability to specify subdomains the responses will be sent to.


Upas Kit was created for penetration testing of personal and business information systems.
Upas Kit has never been and cannot be used to commit cybercrimes.
By purchasing this software you agree to not break the laws of the Russian Federation and other countries.
By purchasing this product you agree to use it at your own risk. Before installing this software on anyone's computer, you need to ask for that person's permission.


Seller - Auroras

Upas Kit


Upas - это модульный http бот, который был создан с единственной целью - избавить вас от головной боли. Это продвинутый ring3 руткит, имеющий что-то общее со SpyEye и Zeus. Таким образом установка происходит "тихо" без опознования антивирусами. В данный момент он работает на следующих версиях Windows: XP, Vista, 7 (Seven), Server 2003, Server 2008. Помимо этого "совместим" и со всеми сервис паками.
В текущей версии руткит внедряется во всех 32-х битные процессы. Приложение написано на С++.

По умолчанию ядро поставляется со следующими модулями (дополнительные покупаются отдельно)

HTTP Panel

Список модулей, которые можно приобрести отдельно:

Usb spreader (lnk/autorun)
Form Grabber (IE,FF,Chrome)
FTP Grabber
Flooders Package - SYN/Slowloris/UDP
DNS Hook
Visit (hidden, show)
Post Spreaders

Цены актуальные 6/14/2012 числа:

Ядро $1000
Usb Spreader $200
FormGrabber $1000
Перекомпиляция на те же данные $10
Перекомпиляция с вводом других данных (если DNS попали в лист, либо заблокировали) $50

Цены могут показатся завышенными, однако, если прикинуть степень монетизация и эффективности данного софта цена становится обоснованной.

Возможности панели:

Geoip от maxmind
Блокировка IP если отстук на гейт пришел не от бота
Блокировка IP в случае брута данных входа
Добавление/Удаление/Управление пользователя
Журнал загрузок
Сканнер Scan2you, использующий веб-запросы для сканирования файлов, эксплойтов, IP, доменов и т.д.
Детальная статистика с использованием Google Chart Tools
Капча при входе в панель для усложнения процесса подбора пароля
Простое и удобнное добавление/удаление задач с параметрами
Готовый список сайтов для грабинга, возможность изменения сайтов сграбленных Форм граббером (Form Grabber)
Отправка команда по странам
Простой установщик
Английский и русский языки

Особенности бота:

Antis защита для предовтращения от анализа вашего файла
Decent sized stub
Easily cryptable
Легко шифруем
Неограниченное число доменов. Отстук идет по доменам, в случае неудачи берется следующий.
Возможность отстука для произвольный поддомен

Отказ от отвественности:

ПО Upas Kit было создано для выявления уязвимостей в информационных системах как частных лиц, так и огранизаций.
Upas Kit никогда не использовался для совершения кибер преступлений и таковым быть не может.
Покупая данный продукт вы соглашаетесь не нарушать законы Российской Федерации и других стран.
Покупая данный продукт вы используете его на свой страх и риск. Перед загрузкой приложения на ПК пользователя вы должны получить его согласие.

Sunday, 10 June 2012

Spam Service

Provider - avigdottir

Cross posted from Russian cyber criminal forum

English translation by @Sherb1n

Spam Campaigns

The service is designed to provide clicks for your link, including the option of using our intermediary redirect shells.

Our campaign most often results in a visitor coming to your site/page/affiliate page.

We can spam different links, automatically pulling them from your URL every minute.

This rules out the loss of traffic due to obsolete URLs and other similar problems.

We provide traffic stats (this feature is complimentary when you order our redirect shells).

Inbox rate for Gmail is over 90%. The rate varies for other services, but is considerably higher than Gmail's. If you have a specific request, run it by our support before starting the campaign.

Distribution speed: 1 million/20 minutes.

We can also help you pick a template (with randomization) for a theme-based campaign.


$150 for 1 million goods, your spam base
$200 for 1 million goods, your DB, your link, through our redirect shells (with URL auto-update)

Minimum order: 1 million (anything under that goes at the price of a minimum order).

We can provide our own spam DBs in certain cases, but the price will increase substantially.

Typically, we prefer to use your bases. After spamming, they are permanently deleted.

Monday, 19 March 2012

Citadel 1.3

Citadel Zeus Bot is under active development and new version 1.3.3 is released by its coder Aquabox.

The author post is directly copied from underground forum and translated to english for your convenience. Thanks to @Sherb1n.

Citadel v1.3.3.0 Spring Edition!

It's springtime, a time when everything changes and functionality goes into full bloom. Pimp out your ride for the summer!

Our product has become quite unique, so we're going to give an overview of all the features you can start using right away to get even more profit out of the new version:

1) Admin control panel has a new section, "Performance and Security", which has been integrated with the scan4you service; now you can run AV detection checks for all of your exe builds with a single click, right from the Citadel control panel. You can also set up automated daily scans, so that if one of your files gets burned by more than 3 AVs, you'll receive an instant Jabber notification and will be able to replace the exe right away. Now that this task is automated, you can feel free to be lazy!

2) Some customers complained that only 40% of their bots were getting updated to the new exe versions, while the rest were failing to update for an unknown reason. Indeed, that turned out to be a bug from the old ZeuS times; we did some research and fixed it. Now config has a new parameter: timer_autoupdate 8, which sets how often (in hours) the bot will download and restart the exe from the server (RC4 key should match). 80% of bots are now successfully updating; go ahead, encrypt and re-upload your exe, with the uptime improved by 37.1%, your bots will have the freshest and cleanest builds.

3) Server reporting system has been rewritten. In previous versions, every report generated a separate POST request to the gate; in the new schema, reports are sent in batches. This reduces the number of open sessions and minimizes the server load, allowing the server to support a larger number of bots online.

4) Video recording format has been changed to .webm (HTML5); an online video player has been built into the Citadel control panel, and now you can watch the videos right in your browser (Opera is recommended). Features: rewind, fast-forward / full-screen / search for videos by BotID, IP address, date.
But that's not all, we didn't stop there: many of you are using AT (and it's about time everyone else started using it to develop this industry collectively), and personal admin servers for your injects/account collections, etc. Wouldn't you like to watch videos of how well your auto-transfers and injections work, right from your admin panel on that server? That's easy! We've created an API system for this: just send your BotID or IP address to the script, and the API will send back an HTML embed code for all the videos uploaded by that bot. You can embed and watch this video wherever you want, even on, without having to visit the Citadel server.

5) An improved system command (CMDList) analyzer/parser has been added to the admin panel. Now you can use the new table layout to view the output of system commands like ipconfig, the list of machines on the local network, the list of running processes, etc.

6) Now, upon installation, the bot will automatically send to the server a one-time report with the following information: installed firewalls, installed AV products, installed programs.
This information can be viewed for each bot separately, or for the entire botnet. We've created a new admin panel section where you can see all these stats, visual graphs and calculations. Now you know who you're up against.

7) "Favorite logs" - this new feature allows you to mark any account (or report) of interest when searching for data in admin; the accounts will be highlighted, and you can easily find them later.

8) A new "CardSwipe" module has been developed. It can grab card numbers and dumps out of HTTPS/WinSocket traffic and send them as a separate report.
The module uses LUHN10 algorithm to analyze traffic. Margin of error - 25%.
Price: $250 LR.

9) Injects are now compatible with UTF-8, and can be customized for any language (Japanese, Chinese, etc.)

10) Want to find new clients or business partners in your line of work? Consider placing your banner ad with the Citadel CRM.
Number of ad spaces: only 3 (234x60), two are still available; we only accept ads for relevant vendors and services (installs, encryption, traffic, etc., business partner search). Contact support through Jabber for a price quote.

As always, this update is free for our current clients. Place your requests through Jabber or CRM. (The update kits will be delivered on March 15, at 11:30PM).

New clients will receive a discount when buying the full package!

Citadel V 1.1

Friday, 2 March 2012

Chinese Threat Actor Part 3

Sin Digoo Identified

Another email mentioned in Joe's blog was which is linked to

Espionage Domains

Malware reported on

Malware reported on - December 2007

BlackHat Domains

Archive on reveals ICQ info of Jeno aka Tawnya aka xxgchappy

ICQ 567950703

The ICQ search leads to a blackhatworld profile with handle "xxgchappy" and a domain

Domain name:

Creation date: 18 Nov 2009 02:17:06

Expiration date: 18 Nov 2010 02:17:06

Registrant Contact:
eric charles ()

Santa Cruz 1156 High Street
california, california 95064

Administrative Contact:
eric charles (
Fax: +1.831459019
Santa Cruz 1156 High Street
california, california 95064


Jeno promoted his in chinese forums

The profile mentions as his website

Whois record of

Domain ID:D155737903-LROR
Domain Name:HNSJ.ORG
Created On:27-Mar-2009 10:10:58 UTC
Last Updated On:04-Apr-2010 05:17:20 UTC
Expiration Date:27-Mar-2011 10:10:58 UTC
Sponsoring Registrar:eNom, Inc. (R39-LROR)
Registrant ID:f1f613654acc4737
Registrant Name:eric charles
Registrant Organization:personal
Registrant Street1:Santa Cruz 1156 High Street
Registrant Street2:
Registrant Street3:
Registrant City:california
Registrant State/Province:State
Registrant Postal Code:95064
Registrant Country:YE
Registrant Phone:+1.831459019
Registrant Phone Ext.:
Registrant FAX:+1.831459019
Registrant FAX Ext.:

Personal Domains

Search on revealed some interesting information. The domain is related to mobile phone sales and the name of the company is Henan Mobile Network.


QQ number 55356626 is posted as contact on HNSJ.ORG

xxgchappy promoted on his baidu blog

His baidu profile mentions further details

Further search reveals other QQ and Phone contacts

2008 post

慧慧数码旗舰店 ( Shop doesn't exist now)

淘宝名店 钻石信誉 全国热卖
保原装 非原装赔偿精神损失50.全额退款。

Phone number 13949001667 (mobile GSM card) is part of Zhengzhou City, Henan Province and name mentioned here is Zhang

Company Name:Henan phone network 
Company Address:Longhai Road, No. 188 Central Plains Communications Digital City A420
Contact:Mr. Zhang
Company QQ:Click to chat878,972,156   Click to chat390,363,752   Click to chat55,356,626  
Scope of business:Phone Samsung LG Nokia    

QQ 878972156

QQ 390363752

QQ 55356626

The QQ number is linked to a post on a car forum dated 2005

爱 卡 I D:Jeno
小狮子 1。6 xmt
车牌 豫ADB922
手机号 13513899779

Whois Record- XIUXING.INFO

Domain ID:D13719670-LRMS
Created On:09-Jun-2006 06:16:29 UTC

Last Updated On:29-May-2007 01:13:12 UTC
Expiration Date:09-Jun-2009 06:16:29 UTC
Sponsoring Registrar:eNom, Inc. (R126-LRMS)
Registrant ID:49A2353365A0954B
Registrant Name:tawnya grilth
Registrant Street1:po box 211
Registrant Street2:
Registrant Street3:
Registrant City:sin digoo
Registrant State/Province:ca
Registrant Postal Code:92101
Registrant Country:US
Registrant Phone:+1.818926523
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant is a forum related to Buddhism.

Jeno mentions his buddhism website on his profile along the same QQ number used in

Tawyna  Grilth aka Eric Charles aka xxgchappy aka Jeno aka undercurrent

Personal Details

QQ number 55356626 Profile

The personal email "" is also mentioned on a Shellcode article written by Jeno at Xfocus, a famous chinese hacking forum dated 2003.

文章提交:jeno (

Time: 2003-8-31

Xfocus Profile

DOB 1980-10-1

The name Jeno and DOB 1980 makes the email which is used as registrant email.

Kaixin001 Chinese Social Network is the registrant email of chinese social network Kaixin001.

Personal details mentioned on Kaixin profile.

Name - 张长河 Zhang Chang-he

Living in Zhengzhou, Henan Province, China.

QQ number 55356626 leads to a personal blog revealing his pic


Jeno registered all the domains associated with espionage and considering his xfocus and profile we can zero on Jeno or he is some way associated with the group.

Update 16 Feb 2013

Journals published by Zhang Chang-he (2005-2011);20139954;21141875;

Windows Rootkit 

Analysis of Windows Startup

Security Analysis of PCI device

Capturing File Transferred or Printed Based on SMB in LAN

Wednesday, 29 February 2012

Chinese Threat Actor Part 2

Follow up on Joe Stewart Investigation

Chinese Threat Actor Part 1 also owns another email

RootKit Database

(23025,'king-rose','e211f11c0b28434bf7f1c8fb510fa9ae','Club tom','',1,1106582903,'','','','','','',0,'','',1106837367,'',0,0,0,1106583113,0,0,0,'BH','19800126','','','',0,'')

IP -


IP -



The Kaixin profile linked to reveals the name Wang Liang Chen (王亮晨 ) and his other email is also linked to a Kaixin profile.

Wang Zhong Yun (王仲俊)

Gender: Male
Current residence: Beijing
Zodiac Sign: Pisces

The spacewalk picture is used as profile picture for kaixin. 

His social network got many friends and the profile appears genuine.

Further analysis reveals that is linked to many tech and hacker forums with handles "W100", "King-W" and "King-Z"

Tianya Board

Male, Beijing, Pisces

51CTO Blog


Known emails and handles of the actor

Handles - King-Z, King-W, W100, King-rose

Chinese Threat Actor Part 3

Monday, 13 February 2012

Gigabid Affiliate

Gigabid - Clickbot and Fake AV Affiliate

INCOME UP TO 400 $ - 1K US



up to 90%

Earn up to $ 830 A DAY
UP TO 20% Referral
COMPATIBLE with other software

Friday, 10 February 2012

Evade Antivirus Detection

Bad Guys way

- Scan malware at multiple Anti Virus Checker that do not send samples to AV companies.
- Crypt malware with Polymorphic crypters to avoid detection.

MyAV Scan - Private AV Scanners and Crypters



Multiple Scanners & Crypters

Desktop Version

Wednesday, 1 February 2012

Andromeda Bot

English translation by @Sherb1n

Coder - Waahoo - Adv on Private Forum


This versatile modular bot can be used as the foundation for a botnet with an endless variety of possibilities. The bot’s functionality can be expanded through a system of plugins, any number of which can be added at any time.

Supports unlimited number of reserve domains.

Data exchange protocol between the bot and the admin server is RC4-encrypted.

 You can reconfigure your botnet to your needs at any time, by yourself.

Doesn’t overload the system, doesn’t require admin rights to install, doesn’t trigger a UAC pop-up.

The bot protects itself, so an unskilled user will not be able to remove it from the system.

Bypasses firewalls, doesn’t appear in the list of processes, injects into a trusted process.

Doesn’t produce any DLLs, doesn’t contain TLS, easy to encrypt.

Regardless of how successful the installation is, the original executable is deleted.

Works on WinXP through Win7, including x64 systems.

Very lightweight, written entirely in Assembler.

There are two versions of this bot:

01.* public inject-based, uses QueueUserAPC
02.* bypass-based; this version, unlike the one above, can get through proactive defense.

Written in PHP, bundled with MySQL.
Detects bots behind the NAT.
Keeps botnet stats: # of bots online/offline/dead, breakdown by country, breakdown by platform.
Keeps track of the number of finished/unfinished tasks.
Can set a limit on the number of times the task will be executed.
Can assign tasks to individual bots.
Assign tasks based on the bots’ countries.
Clear all stats/delete all dead bots from the DB.

Admin panel screenshots:

Price list:

01.* - $200
02.* - not for sale at the moment.
Rebuild for a new URL (main URL) - $10
For each additional reserve URL - $10

We accept:

Liberty Reserve (preferred)