Monday, 19 March 2012

Citadel 1.3

Citadel Zeus Bot is under active development and new version 1.3.3 is released by its coder Aquabox.

The author post is directly copied from underground forum and translated to english for your convenience. Thanks to @Sherb1n.

Citadel v1.3.3.0 Spring Edition!

It's springtime, a time when everything changes and functionality goes into full bloom. Pimp out your ride for the summer!

Our product has become quite unique, so we're going to give an overview of all the features you can start using right away to get even more profit out of the new version:

1) Admin control panel has a new section, "Performance and Security", which has been integrated with the scan4you service; now you can run AV detection checks for all of your exe builds with a single click, right from the Citadel control panel. You can also set up automated daily scans, so that if one of your files gets burned by more than 3 AVs, you'll receive an instant Jabber notification and will be able to replace the exe right away. Now that this task is automated, you can feel free to be lazy!

2) Some customers complained that only 40% of their bots were getting updated to the new exe versions, while the rest were failing to update for an unknown reason. Indeed, that turned out to be a bug from the old ZeuS times; we did some research and fixed it. Now config has a new parameter: timer_autoupdate 8, which sets how often (in hours) the bot will download and restart the exe from the server (RC4 key should match). 80% of bots are now successfully updating; go ahead, encrypt and re-upload your exe, with the uptime improved by 37.1%, your bots will have the freshest and cleanest builds.

3) Server reporting system has been rewritten. In previous versions, every report generated a separate POST request to the gate; in the new schema, reports are sent in batches. This reduces the number of open sessions and minimizes the server load, allowing the server to support a larger number of bots online.

4) Video recording format has been changed to .webm (HTML5); an online video player has been built into the Citadel control panel, and now you can watch the videos right in your browser (Opera is recommended). Features: rewind, fast-forward / full-screen / search for videos by BotID, IP address, date.
But that's not all, we didn't stop there: many of you are using AT (and it's about time everyone else started using it to develop this industry collectively), and personal admin servers for your injects/account collections, etc. Wouldn't you like to watch videos of how well your auto-transfers and injections work, right from your admin panel on that server? That's easy! We've created an API system for this: just send your BotID or IP address to the script, and the API will send back an HTML embed code for all the videos uploaded by that bot. You can embed and watch this video wherever you want, even on, without having to visit the Citadel server.

5) An improved system command (CMDList) analyzer/parser has been added to the admin panel. Now you can use the new table layout to view the output of system commands like ipconfig, the list of machines on the local network, the list of running processes, etc.

6) Now, upon installation, the bot will automatically send to the server a one-time report with the following information: installed firewalls, installed AV products, installed programs.
This information can be viewed for each bot separately, or for the entire botnet. We've created a new admin panel section where you can see all these stats, visual graphs and calculations. Now you know who you're up against.

7) "Favorite logs" - this new feature allows you to mark any account (or report) of interest when searching for data in admin; the accounts will be highlighted, and you can easily find them later.

8) A new "CardSwipe" module has been developed. It can grab card numbers and dumps out of HTTPS/WinSocket traffic and send them as a separate report.
The module uses LUHN10 algorithm to analyze traffic. Margin of error - 25%.
Price: $250 LR.

9) Injects are now compatible with UTF-8, and can be customized for any language (Japanese, Chinese, etc.)

10) Want to find new clients or business partners in your line of work? Consider placing your banner ad with the Citadel CRM.
Number of ad spaces: only 3 (234x60), two are still available; we only accept ads for relevant vendors and services (installs, encryption, traffic, etc., business partner search). Contact support through Jabber for a price quote.

As always, this update is free for our current clients. Place your requests through Jabber or CRM. (The update kits will be delivered on March 15, at 11:30PM).

New clients will receive a discount when buying the full package!

Citadel V 1.1

Friday, 2 March 2012

Chinese Threat Actor Part 3

Sin Digoo Identified

Another email mentioned in Joe's blog was which is linked to

Espionage Domains

Malware reported on

Malware reported on - December 2007

BlackHat Domains

Archive on reveals ICQ info of Jeno aka Tawnya aka xxgchappy

ICQ 567950703

The ICQ search leads to a blackhatworld profile with handle "xxgchappy" and a domain

Domain name:

Creation date: 18 Nov 2009 02:17:06

Expiration date: 18 Nov 2010 02:17:06

Registrant Contact:
eric charles ()

Santa Cruz 1156 High Street
california, california 95064

Administrative Contact:
eric charles (
Fax: +1.831459019
Santa Cruz 1156 High Street
california, california 95064


Jeno promoted his in chinese forums

The profile mentions as his website

Whois record of

Domain ID:D155737903-LROR
Domain Name:HNSJ.ORG
Created On:27-Mar-2009 10:10:58 UTC
Last Updated On:04-Apr-2010 05:17:20 UTC
Expiration Date:27-Mar-2011 10:10:58 UTC
Sponsoring Registrar:eNom, Inc. (R39-LROR)
Registrant ID:f1f613654acc4737
Registrant Name:eric charles
Registrant Organization:personal
Registrant Street1:Santa Cruz 1156 High Street
Registrant Street2:
Registrant Street3:
Registrant City:california
Registrant State/Province:State
Registrant Postal Code:95064
Registrant Country:YE
Registrant Phone:+1.831459019
Registrant Phone Ext.:
Registrant FAX:+1.831459019
Registrant FAX Ext.:

Personal Domains

Search on revealed some interesting information. The domain is related to mobile phone sales and the name of the company is Henan Mobile Network.


QQ number 55356626 is posted as contact on HNSJ.ORG

xxgchappy promoted on his baidu blog

His baidu profile mentions further details

Further search reveals other QQ and Phone contacts

2008 post

慧慧数码旗舰店 ( Shop doesn't exist now)

淘宝名店 钻石信誉 全国热卖
保原装 非原装赔偿精神损失50.全额退款。

Phone number 13949001667 (mobile GSM card) is part of Zhengzhou City, Henan Province and name mentioned here is Zhang

Company Name:Henan phone network 
Company Address:Longhai Road, No. 188 Central Plains Communications Digital City A420
Contact:Mr. Zhang
Company QQ:Click to chat878,972,156   Click to chat390,363,752   Click to chat55,356,626  
Scope of business:Phone Samsung LG Nokia    

QQ 878972156

QQ 390363752

QQ 55356626

The QQ number is linked to a post on a car forum dated 2005

爱 卡 I D:Jeno
小狮子 1。6 xmt
车牌 豫ADB922
手机号 13513899779

Whois Record- XIUXING.INFO

Domain ID:D13719670-LRMS
Created On:09-Jun-2006 06:16:29 UTC

Last Updated On:29-May-2007 01:13:12 UTC
Expiration Date:09-Jun-2009 06:16:29 UTC
Sponsoring Registrar:eNom, Inc. (R126-LRMS)
Registrant ID:49A2353365A0954B
Registrant Name:tawnya grilth
Registrant Street1:po box 211
Registrant Street2:
Registrant Street3:
Registrant City:sin digoo
Registrant State/Province:ca
Registrant Postal Code:92101
Registrant Country:US
Registrant Phone:+1.818926523
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant is a forum related to Buddhism.

Jeno mentions his buddhism website on his profile along the same QQ number used in

Tawyna  Grilth aka Eric Charles aka xxgchappy aka Jeno aka undercurrent

Personal Details

QQ number 55356626 Profile

The personal email "" is also mentioned on a Shellcode article written by Jeno at Xfocus, a famous chinese hacking forum dated 2003.

文章提交:jeno (

Time: 2003-8-31

Xfocus Profile

DOB 1980-10-1

The name Jeno and DOB 1980 makes the email which is used as registrant email.

Kaixin001 Chinese Social Network is the registrant email of chinese social network Kaixin001.

Personal details mentioned on Kaixin profile.

Name - 张长河 Zhang Chang-he

Living in Zhengzhou, Henan Province, China.

QQ number 55356626 leads to a personal blog revealing his pic


Jeno registered all the domains associated with espionage and considering his xfocus and profile we can zero on Jeno or he is some way associated with the group.

Update 16 Feb 2013

Journals published by Zhang Chang-he (2005-2011);20139954;21141875;

Windows Rootkit 

Analysis of Windows Startup

Security Analysis of PCI device

Capturing File Transferred or Printed Based on SMB in LAN