Monday, July 29, 2013

PinkShop - Carder Shop

www.PinkShop.name
This pepto-bismol themed shop is selling stolen credit card details. 

pinkode.org 69.197.18.178
pinkode.pro 69.197.18.178
(These domains redirect to pinkshop.name)
CIDR:           69.197.0.0/18
OriginAS:       AS25761
NetName:        STAMINUS-COMMUNICATIONS
abuse@staminus.net
www.pinkshop.name. 300 IN A 141.101.116.126
www.pinkshop.name. 300 IN A 141.101.117.126
(CloudFlare)
I contacted both Staminus and CloudFlare about this domain. 


Adverts for shop:

Another advert:

Google the ICQ or admin email for this shop. You will see more ads.




WARNING: 
The design of this site is so awful that it may damage your eyes. 



Login screen with some SEO keywords:

sell dumps, buy dumps, buy cvv, buy cvv2, sell dumps, sell track2, buy track2, buy cards,cheap cvv,buy cvv,sell cvv,fresh cvv,good cvv,buy good cvv,sell good cvv,best cvv,fresh paypal,carders market,check cvv,cvv2 dump,buy cvv online


Hideous welcome page:

User agreement and rules of site. (Lol)



Dumps:
Dumps - "a term which refers to stolen credit card data"
http://www.huffingtonpost.com/robert-siciliano/criminal-hackers-carders_b_295894.html



CVV2:



Checker:



Fund Balance:
Details:
BITCOIN ADDRESS TO PAY TO> 13rq5ZmjNP3sGQpcDbqewq6Mgu4scpXXCX
SEND WMZ TO > Z366667111653 , CONTACT ADMINISTRATOR AFTER MONEY SENT!
(see below for BlockChain details) (and Lol)  

(bottom of Funding page):




Contact :
No authentication check on this page.
http://www.pinkshop.name/contact.php

Contact details:
ICQ: 627809737
Email : pinkode@id.ru
Yahoo ID: pinkoder@yahoo.com
Jabber: pinkoder@jabber.org


new > FULLZ 
 note the 1337 use of Z in FULLS - pretty cool.




Bitcoin address for PinkShop payments: 

13rq5ZmjNP3sGQpcDbqewq6Mgu4scpXXCX

https://blockchain.info/address/13rq5ZmjNP3sGQpcDbqewq6Mgu4scpXXCX
No. Transactions63
Total Received12.43884827 BTC

UPDATE:
The same bitcoin address is used to collect funds on other carding sites.
track2shop.me
ccbase.biz



The admin is so lazy - he just copy/paste the same code all over!!


More notes:

In the source of site, reference to folder bulba.cc_files
stolen source or same admin? who cares. I would bet that all this garbage is offline soon.



track2.name and bulba.cc: 

good god - this is gross looking. 



Various Admin Contact Infos:

track2cvv@e1.ru

ICQ: 355555559
Jabber: cardshop@jabber.org
Yahoo Messenger > card2shop5@yahoo.com
Email: track2cvv@e1.ru

Support / ICQ: 617580016


Contact support by hand
ICQ: 617580016
Email : track2shop@ru.ru

Wednesday, July 10, 2013

ZeuS Banking Trojan Botnet

ZeuS Banking Trojan C&C Server
kopolonimu.info
62.76.188.139
Estimated Size:  500+ bots (small) 
Targeting: UA and RU

some of the banks being targeted:
privatbank.ua
dnbbank.ru

URL listing on Cyber Crime Tracker


WHOIS details on the host network
inetnum:        62.76.176.0 - 62.76.191.255
netname:       Clodo-Cloud
descr:            IT House, Ltd
person:          Maxim Dyubarev
address:        Kalyazinskaya,7, Saint-Petersburg, Russia, 194017

route:             62.76.184.0/21
descr:            IT House, Ltd
origin:            AS57010 mnt-by:          ROSNIIROS-MNT


(no abuse email address) 



Some info from VirusTotal


I forgot to take a screenshot of the auth page. I went back and checked today and the server IP is now filtering all ports. The URL structure page.php?m=login is synonymous with ZeuS auth pages.

Nmap scan report for 62.76.188.139
Host is up. 
All 100 scanned ports on 62.76.188.139 are filtered


Each bot has its own /reports/subdirectory on the C&C. When the server was online, the bad guys forgot to deny directory listings which allowed me to browse around to the "reports" folder. This is where bots upload data such as stolen credentials, screenshots, keystroke log files, etc. 



 
Here are screenshots I found of victims logging into bank accounts:




Usually the web injects and built in credential stealing modules are all these crooks need to steal from victims bank accounts. Banks are starting to use other (multi) verification/authentication methods that the bad guys need to take some screenshots and see how to login.. see above shot of auth window. 



More victim bank accounts






Personal Email Accounts
There were also screenshots of personal email accounts on these domains:
yandex.net
filin.mail.ru


Bitcoin Miner
As if stealing money directly from victims bank accounts is not lucrative enough these assholes were mining for BitCoin on their bots as well. 

In the same directory of the panel on this server, I found a zip archive amd.zip which contained a file wuaxctl.exe.

amd.zip > wuaxctl.exe
https://www.virustotal.com/en/file/fc21aa025de72e60dcde2f013d67dd1a84c8bc5b7be8005d5616ca410fc7abd6/analysis/1372864267/



Russian Newspaper Editor Targeted

I also found some interesting screen shots - not just victims browsing to their online bank sites. This looks like a Russian newspaper or similar. This victim started up Adobe InDesign and then began editing a document..


ZeuS banking trojan screen shot taken of victim editing news print files.

 

Does anyone recognize this newspaper or speak Russian and can translate? 

It would be nice to let this organization know that they are infected with a banking trojan, and its probably not on just one machine. 

Wednesday, July 3, 2013

secure.9billing.com & dapav.net

FakeAV - Affiliate
ZBot / ZeroAccess
Advert Panel

dapav.net > 31.184.244.2
secure.9billing.com > 31.184.244.2
rowline.org > 31.184.244.5

31.184.244.2
netname:      TOEN
descr:            TOEN INCORPORATED
descr:            Middle East, U.A.E.

country:         AE



UPDATE 7/12/13 - Still Active
same server, same panel, same stats.

dapav.net


secure.9billing.com 


I took another sample to check out. 

21.1.exe
26/46 
AV detecting up from 22/46
but still..20 vendors don't detect this fucker..WTF 

anyway...



The .pcap file shows a DNS query to find rowline.org > 31.184.244.5

After the DNS lookup, 21.1.exe talks to rowline.org via HTTP and makes some requests like: 
hxxp://rowline.org/api/ping?stage=1&uid=cadeedbb8f779345b6c13d431855a4f&id=21&subid=1&os=1&avf=0
hxxp://rowline.org/api/test
hxxp://rowline.org/load/?uid=cadeedbb8f779345b6c13d431855a4f  (404, LOL) 


After this chatter it downloads a file, "SCC" which appears to be clean

Next, another api/ping GET

And then this: 
hxxp://rowline.org/html/viruslist/?uid=cadeedbb8f779345b6c13d431855a4f

I'll dig into this more when I have time. 





Original Post:

First posted on cybercrime-tracker.net in 2012!




07-11-2012 secure.9billing.com/index.php 91.242.217.24 FakeAV PC Defender Plus



Panel still online





Main

Money: $ 0 
no shit. 



Geo





Sub Acc






Get .exe



This page builds a new binary and associates it with a subaccount for tracking the install.

I build a test .exe (21.21) and submit it to VirusTotal. After I did this, I check the Geo page and see that there is a new install from France (must be VirusTotal sandbox allowing exe to run)

The first two builds (21.1.exe and 21.566.exe) were already in the panel.


21.1.exe
(VT 22/46)
https://www.virustotal.com/en/file/920ceeaa0c3a46373f96cc43cecca20b24cacdb6283ccc656ff999bc92f8244b/analysis/1372861065/

21.566.exe
(VT 22/47)
https://www.virustotal.com/en/file/a0d955ff7033dcf840b220432b0a78d12ccf72225df8692d6dd22cb5aedc8253/analysis/1372861188/

21.21.exe (test build)
(VT 22/47)
https://www.virustotal.com/en/file/c51f7c140e34157e84c67641dd927bbdd6231700438dbbfeae4c9f0ca1bcbc47/analysis/1372862762/

Tuesday, July 2, 2013

Umbra Loader - Aldi Nord Clean

Found an Umbra Loader panel today and had a look inside..

hosted on:
nastytrickshotz.x10.mx

198.91.81.2 - x10hosting.com

again, shared hosting...good spot for your panel, moron.


Login:


Commands:

(see below for details on this binary)


Some pretty dope stats:
(nobody is online ??)


Lol



hxxp://nastytrickshotz.x10.mx/a/Panel/Panel/uploads/aldi-nord-clean.exe

VT 33/47 (Lol)


Aldi Bot (aldi-nord-clean.exe) 

Ran the binary through Anubis and got a .pcap file with some DNS and HTTP traffic.

DNS query
fotze-fick-bot.hj.cx: type A, class IN
fotze-fick-bot.hj.cx: type A, class IN, addr 31.170.166.180



C&C Aldi Server


Whois info:
inetnum:        31.170.166.0 - 31.170.167.255
netname:        MAIN-HOSTING-SERVERS
descr:          Main Hosting Servers
country:        US

c24 Stealer and HC Stealer

Crime24.Net Stealer by Ganja - Panel based on iStealer 6
hxxp://mobydiick1.mo.ohost.de/C24/index.php

This software appears to be used for stealing credentials (Steam, FTP, etc.) product keys, and is a generic keylogger for grabbing IM's and mail. See below.

hosted at:
mobydiick1.mo.ohost.de

ok...shared hosting, good place to put your panels.



Login panel:




Main (Logs) view:


List applications:


Export logs:


HC Stealer:


Not sure if they share a sql db or config files, but appears to have same 'victim' PC in each panel.
Looks like the only data captured was a Windows XP product key..sweet.

I cant even look at this one anymore, the design reminds me of HF trash.