Pages

Monday 19 March 2012

Citadel 1.3

Citadel Zeus Bot is under active development and new version 1.3.3 is released by its coder Aquabox.

The author post is directly copied from underground forum and translated to english for your convenience. Thanks to @Sherb1n.


Citadel v1.3.3.0 Spring Edition!

It's springtime, a time when everything changes and functionality goes into full bloom. Pimp out your ride for the summer!

Our product has become quite unique, so we're going to give an overview of all the features you can start using right away to get even more profit out of the new version:

1) Admin control panel has a new section, "Performance and Security", which has been integrated with the scan4you service; now you can run AV detection checks for all of your exe builds with a single click, right from the Citadel control panel. You can also set up automated daily scans, so that if one of your files gets burned by more than 3 AVs, you'll receive an instant Jabber notification and will be able to replace the exe right away. Now that this task is automated, you can feel free to be lazy!

2) Some customers complained that only 40% of their bots were getting updated to the new exe versions, while the rest were failing to update for an unknown reason. Indeed, that turned out to be a bug from the old ZeuS times; we did some research and fixed it. Now config has a new parameter: timer_autoupdate 8, which sets how often (in hours) the bot will download and restart the exe from the server (RC4 key should match). 80% of bots are now successfully updating; go ahead, encrypt and re-upload your exe, with the uptime improved by 37.1%, your bots will have the freshest and cleanest builds.

3) Server reporting system has been rewritten. In previous versions, every report generated a separate POST request to the gate; in the new schema, reports are sent in batches. This reduces the number of open sessions and minimizes the server load, allowing the server to support a larger number of bots online.

4) Video recording format has been changed to .webm (HTML5); an online video player has been built into the Citadel control panel, and now you can watch the videos right in your browser (Opera is recommended). Features: rewind, fast-forward / full-screen / search for videos by BotID, IP address, date.
But that's not all, we didn't stop there: many of you are using AT (and it's about time everyone else started using it to develop this industry collectively), and personal admin servers for your injects/account collections, etc. Wouldn't you like to watch videos of how well your auto-transfers and injections work, right from your admin panel on that server? That's easy! We've created an API system for this: just send your BotID or IP address to the script, and the API will send back an HTML embed code for all the videos uploaded by that bot. You can embed and watch this video wherever you want, even on narod.ru, without having to visit the Citadel server.

5) An improved system command (CMDList) analyzer/parser has been added to the admin panel. Now you can use the new table layout to view the output of system commands like ipconfig, the list of machines on the local network, the list of running processes, etc.

6) Now, upon installation, the bot will automatically send to the server a one-time report with the following information: installed firewalls, installed AV products, installed programs.
This information can be viewed for each bot separately, or for the entire botnet. We've created a new admin panel section where you can see all these stats, visual graphs and calculations. Now you know who you're up against.

7) "Favorite logs" - this new feature allows you to mark any account (or report) of interest when searching for data in admin; the accounts will be highlighted, and you can easily find them later.

8) A new "CardSwipe" module has been developed. It can grab card numbers and dumps out of HTTPS/WinSocket traffic and send them as a separate report.
The module uses LUHN10 algorithm to analyze traffic. Margin of error - 25%.
Price: $250 LR.

9) Injects are now compatible with UTF-8, and can be customized for any language (Japanese, Chinese, etc.)

10) Want to find new clients or business partners in your line of work? Consider placing your banner ad with the Citadel CRM.
Number of ad spaces: only 3 (234x60), two are still available; we only accept ads for relevant vendors and services (installs, encryption, traffic, etc., business partner search). Contact support through Jabber for a price quote.

As always, this update is free for our current clients. Place your requests through Jabber or CRM. (The update kits will be delivered on March 15, at 11:30PM).

New clients will receive a discount when buying the full package!

Citadel V 1.1

http://cyb3rsleuth.blogspot.co.uk/2012/01/citadel-zeus-bot.html

Friday 2 March 2012

Chinese Threat Actor Part 3


Sin Digoo Identified

Another email mentioned in Joe's blog was jeno_1980@hotmail.com which is linked to xxgchappy@vip.sina.com





Espionage Domains

Malware reported on umu1.echosky.biz


Malware reported on www.dellpc.us - December 2007



BlackHat Domains

Archive on socialup.net reveals ICQ info of Jeno aka Tawnya aka xxgchappy

http://web.archive.org/web/20100106025256/http://www.socialup.net/contacts.php

ICQ 567950703



The ICQ search leads to a blackhatworld profile with handle "xxgchappy" and a domain makewithmoney.com

Domain name: makewithmoney.com

Creation date: 18 Nov 2009 02:17:06

Expiration date: 18 Nov 2010 02:17:06

Registrant Contact:
personal
eric charles ()

Fax:
Santa Cruz 1156 High Street
california, california 95064
US

Administrative Contact:
personal
eric charles (jeno_1980@hotmail.com)
+1.831459019
Fax: +1.831459019
Santa Cruz 1156 High Street
california, california 95064
US



Twitter

https://twitter.com/leedoctor




http://www.blackhatworld.com/blackhat-seo/members/73099-xxgchappy.html



http://www.v7n.com/forums/social-networking/161752-wts-cheap-digg-service-0-1-per-digg.html


Jeno promoted his socialup.net in chinese forums





The profile mentions www.hnsj.org as his website





Whois record of hnsj.org

Domain ID:D155737903-LROR
Domain Name:HNSJ.ORG
Created On:27-Mar-2009 10:10:58 UTC
Last Updated On:04-Apr-2010 05:17:20 UTC
Expiration Date:27-Mar-2011 10:10:58 UTC
Sponsoring Registrar:eNom, Inc. (R39-LROR)
Status:OK
Registrant ID:f1f613654acc4737
Registrant Name:eric charles
Registrant Organization:personal
Registrant Street1:Santa Cruz 1156 High Street
Registrant Street2:
Registrant Street3:
Registrant City:california
Registrant State/Province:State
Registrant Postal Code:95064
Registrant Country:YE
Registrant Phone:+1.831459019
Registrant Phone Ext.:
Registrant FAX:+1.831459019
Registrant FAX Ext.:
Registrant Email:jeno_1980@hotmail.com


Personal Domains

Search on hnsj.org revealed some interesting information. The domain is related to mobile phone sales and the name of the company is Henan Mobile Network.




Archive

http://web.archive.org/web/20100109050932/http://www.hnsj.org/article.php?id=4




QQ number 55356626 is posted as contact on HNSJ.ORG



xxgchappy promoted hnsj.org on his baidu blog

http://hi.baidu.com/%BA%D3%C4%CF%CA%D6%BB%FA%CD%F8/home






His baidu profile mentions further details

http://passport.baidu.com/?business&aid=6&un=xxgchappy#0


Further search reveals other QQ and Phone contacts

http://bbs.shangdu.com/t/20080831/01004001126/126-1.htm

2008 post

慧慧数码旗舰店

http://shop36037986.taobao.com ( Shop doesn't exist now)

各种智能手机专卖
淘宝名店 钻石信誉 全国热卖
保原装 非原装赔偿精神损失50.全额退款。
百脑汇2楼2b16
QQ:55356626
旺旺:慧慧数码旗舰店
13949001667
我们的专业,值得信赖。

Phone number 13949001667 (mobile GSM card) is part of Zhengzhou City, Henan Province and name mentioned here is Zhang

http://www.hahait.com/h41328



Company Name:Henan phone network 
Tel:0371-66900779
Company Address:Longhai Road, No. 188 Central Plains Communications Digital City A420
Contact:Mr. Zhang
Fax:
E-mail:
Company QQ:Click to chat878,972,156   Click to chat390,363,752   Click to chat55,356,626  
Website:http://www.hahait.com/41328
Scope of business:Phone Samsung LG Nokia    

QQ 878972156

QQ 390363752

QQ 55356626


The QQ number is linked to a post on a car forum dated 2005

http://www.xcar.com.cn/bbs/viewthread.php?tid=6300657

http://www.xcar.com.cn/bbs/viewthread.php?tid=1576356

爱 卡 I D:Jeno
小狮子 1。6 xmt
车牌 豫ADB922
手机号 13513899779


Whois Record- XIUXING.INFO

Domain ID:D13719670-LRMS
Domain Name:XIUXING.INFO
Created On:09-Jun-2006 06:16:29 UTC

Last Updated On:29-May-2007 01:13:12 UTC
Expiration Date:09-Jun-2009 06:16:29 UTC
Sponsoring Registrar:eNom, Inc. (R126-LRMS)
Status:OK
Registrant ID:49A2353365A0954B
Registrant Name:tawnya grilth
Registrant Organization:i-tobuy.com
Registrant Street1:po box 211
Registrant Street2:
Registrant Street3:
Registrant City:sin digoo
Registrant State/Province:ca
Registrant Postal Code:92101
Registrant Country:US
Registrant Phone:+1.818926523
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:jeno_1980@hotmail.com


xiuxing.info is a forum related to Buddhism.



Jeno mentions his buddhism website on his profile along the same QQ number used in HNSJ.org






Tawyna  Grilth aka Eric Charles aka xxgchappy aka Jeno aka undercurrent


Personal Details

QQ number 55356626 Profile




The personal email "xxgchappy@vip.sina.com" is also mentioned on a Shellcode article written by Jeno at Xfocus, a famous chinese hacking forum dated 2003.




转自:http://www.xfocus.net
创建时间:2003-08-31
文章属性:原创
文章提交:jeno (xxgchappy_at_vip.sina.com)

作者:jeno
Email: jeno@vip.371.net
Time: 2003-8-31

Xfocus Profile

https://www.xfocus.net/bbs/index.php?lang=cn&act=Profile&do=03&MID=35525


DOB 1980-10-1

The name Jeno and DOB 1980 makes the email Jeno_1980@hotmail.com which is used as registrant email.


Kaixin001 Chinese Social Network

xxgchappy@vip.sina.com is the registrant email of chinese social network Kaixin001.

http://www.kaixin001.com/home/17206761.html


Personal details mentioned on Kaixin profile.

Name - 张长河 Zhang Chang-he

Living in Zhengzhou, Henan Province, China.


QQ number 55356626 leads to a personal blog revealing his pic

http://55356626.qzone.qq.com



Conclusion

Jeno registered all the domains associated with espionage and considering his xfocus and rootkit.com profile we can zero on Jeno or he is some way associated with the group.

 
Update 16 Feb 2013

http://www.businessweek.com/articles/2013-02-14/a-chinese-hackers-identity-unmasked


Journals published by Zhang Chang-he (2005-2011)

http://www.cnki.net/KCMS/detail/search.aspx?dbcode=CJFQ&sfield=au&skey=%E5%BC%A0%E9%95%BF%E6%B2%B3&code=22840348;20139954;21141875;




Windows Rootkit

http://www.cnki.net/KCMS/detail/detail.aspx?QueryID=5&CurRec=2&recid=&filename=XXGC200702023&dbname=cjfd2007&dbcode=CJFQ&pr=&urlid=&yx=

http://www.docin.com/p-49869286.html 


Analysis of Windows Startup

http://www.cnki.net/kcms/detail/detail.aspx?filename=XXGC200903027&dbcode=CJFQ&dbname=CJFD2009

http://www.docin.com/p-253321277.html


Security Analysis of PCI device

http://www.docin.com/p-279253540.html


Capturing File Transferred or Printed Based on SMB in LAN

http://www.cnki.net/kcms/detail/detail.aspx?filename=WJSJ200606039&dbcode=CJFQ&dbname=cjfd2006