Thursday, March 20, 2014

upgradetoserver.com - Botnets, Phishing, Mass Mailers

upgradetoserver.com
194.44.160.178
inetnum:        194.44.160.0 - 194.44.160.255
netname:        UARNET-LL-20060614
descr:          UARNet
descr:          Svientsitsky st.1
descr:          Lviv
remarks:      INFRA-AW
country:       UA

Whois Domain Information
Registrant Name: JONATHAN AFOLAYAN
Registrant Organization:
Registrant Street: JONATH4U@ROCKETMAILCOM
Registrant City: LAGOS
Registrant State/Province:
Registrant Postal Code: 23401
Registrant Country: NG
Registrant Phone: +1.2347013182809



Started out looking at a "rebranded" Citadel panel.




Its Citadel with a different background. 
"World Carding Management System!"


Then I saw some crazy stuff.

Phishing?


This is a joke, right?


Some sort of four-in-one, lazy as hell, ghetto phishing page. 



I'm shocked.. do people actually fall for this and fill it out?

Looking at the php for the phishing forms.


b_hacker_1@yahoo.com


Using the same email on advertisements 


Google+
Hacking is not a Crime..Is an Art


Two mass mailers.






I shell on yer boxen too...

Broken "Bank of America ReZu1T (Thief)"


Notes

  • admin claims to be Russian in posted advertisements
  • unskilled, re-seller
  • server hosted in Ukraine 
vps user:
jonatha8

contactemail: 
root@upgradetoserver.com


index.html Google Analytics
 var _gaq = _gaq || [];
  _gaq.push(['_setAccount', 'UA-5263515-4']);
  _gaq.push(['_setDomainName', '.3eeweb.com']);
  _gaq.push(['_trackPageview']);


Botnet MySQL configs

$config['mysql_user']          = 'jonatha8_admin';
$config['mysql_pass']          = 'Oluwanoni407@';
$config['mysql_db']            = 'jonatha8_user1';
$config['mysql_user']          = 'jonatha8_crome';
$config['mysql_pass']          = 'computer12';
$config['mysql_db']            = 'jonatha8_crome';
http://upgradetoserver.com/crome/cp.php?m=login
$config['mysql_user']          = 'jonatha8_unix2';
$config['mysql_pass']          = 'Lorenna1984';
$config['mysql_db']            = 'jonatha8_unix2';
http://upgradetoserver.com/iamcoder/cp.php?m=home
$config['mysql_user']          = 'jonatha8_keran';
$config['mysql_pass']          = 'Lorenna1984';
$config['mysql_db']            = 'jonatha8_keran';
$config['mysql_user']          = 'jonatha8_unix';
$config['mysql_pass']          = 'Lorenna1984';
$config['mysql_db']            = 'jonatha8_unix';

Saturday, March 1, 2014

Android/iBanking Malware & How ftp.bbc.co.uk was Hacked

Android/iBanking is malware that runs on Android smartphones. In addition to intercepting SMS (text) messages, recording audio, and stealing contact lists, it is used by cyber criminals to complete fraudulent transactions. For example, when a verification code PIN is sent to an infected phone via SMS, they can now intercept these text messages to defeat multi-factor authentication.

It was available on the criminal underground for $4-5k USD. The source code has since been 'leaked'. In reality there was not a leak, someone made a builder to repackage the original malware with different configurations.


Features of Android/iBanking from an advertisement for it:
Функционал:-Грабинг всей информации о жертве (Phone Number,ICCID,IMEI,IMSI,Model,OS)
- Перехват всех входящих SMS и отправка их в web-panel и на управляющий номер.
- Переадресация звонков на любой номер
- Грабинг всех входящих и исходящих SMS
- Грабинг всех входящих и исходящих ВЫЗОВОВ
- Запись аудиофайла, отправка его на сервер( знаем, что происходит вокруг)
- Отправка SMS на любой номер без ведома владельца
Удобная Web Panel:Итак, данный софт продается, цена бота 4к, в комплекте вы получаете админскую панель настроенную на вашем сервере+управляющий веб номер+файл Апк с уникальным интерфейсом разработанным под Ваши нужды, а так же постоянную поддержку продукта. 
Features:
Private - grabing information about victims (Phone Number, ICCID , IMEI , IMSI , Model, OS)
- Interception all incoming SMS and shipped them to the web panel and Managing room
- Pereadresaciâ calls to Any Room
- Grabing all incoming SMS and ishodâŝih
- Grabing all incoming and ishodâŝih VYZOVOV
- Recording Audio Files , shipped to his server ( Znaem , What's happening around )
- Shipped SMS to Any Room without Veda owner
Comfortable Web Panel:
Ithaca Danny soft sale , price bota 4K , complete you get adminskuû panel nastroennuû on your web server + Managing + number Apk file with a unique interface razrabotannym under your nuždy and Tak will postoânnuû support products.

Xylitol posted samples for this malware already.


I had a look inside the C&C server.
hxxp://146.185.162.16/android/admin.php 
146.185.162.16
inetnum: 146.185.160.0 - 146.185.167.255
netname: DIGITALOCEAN-AMS-3
descr: Digital Ocean, Inc.
country: NL

Login:



Once logged in, you are presented your 'Projects' page.
Each campaign is associated a Project ID.
This organizes groups of phones and allows delegating projects to different users.

Click on the Project ID that has a 'phone count' and the phone list tab appears, allowing you to get details on the phones in that project. 

Now you can see the phone numbers, model, IMEI, OS, last command sent to the phone.


The malware is running in the google_sdk also the TrendMicro Sandbox. This looks like an AV scanner record, not actual infection. Could be admin doing some testing too.



You can see the command options to send out to bot phones:
start sms, stop sms, start call, stop call, start rec, stop rec, start call to #, get sms, get call, contact list, send sms, check url

I see the "Control" number on this bot phone: +883320340295 - this leads me to an interesting find, see 'BBC hack' below.

I found another control number: +37061513564 on infected phones in the panel. 
This guy has the same cell phone number. He is selling cd-keys. 
He prefers texting after 3:30.  Hmmm..ok.
http://www.skelbiu.lt/skelbimai/parduodu-originalus-raktus-cd-keys-pigiai-9768292.html
E-mail: zerafik@mail.ru alextumb@mail.ru or
Skype: zerafik (only rašykit that game).
mob. Phone: +37061513564 (sms better rašykit or skambinkit after 15.30).


Starting a new project looks like this:


Oh yes, I also hacked your mySQL phpMyAdmin:





Even though the same 'control' phone number record was in this panel I did not find the SMS text message record with the BBC credentials in the database. This BBC cell number could be part of the 'leaked' iBanking source, but I don't have any other panels to compare this one to. 


BBC.CO.UK Hack 

I Googled one of the 'control' cell phone numbers I found "+883320340295" to learn more about this number and found some interesting stuff. 

Some Russian hacker, ReVOLVeR, was helping his friend recover a password from a backup of his lost smartphone.
While he is looking on the phone he discovers this same iBanking malware installed on the phone. He hacks the C&C (myreddskins.net) and finds an Android smartphone that has been infected.
This other infected smartphone had credentials for ftp.bbc.co.uk stored on the phone. I would assume this phone belongs to a BBC employee in the IT dept. ReVOLVeR then takes the credentials from the BBC phone, logs in and proceeds to root the box.

Translation:
The whole truth about breaking bbc.co.uk story began with a request, one of my friends lost razobratsya where no small number of Bitcoins to his account on Exchange btc, as it turned out, he kept his username and password in the cell phone running OS android, received backup phone, I began to study the animal. The research work itself apkashka bot 1. Need konvertnut apk in jar 2. Come and download the resulting jar in decompiler In the decompiled seen that the bot can receive commands from the management server, which is located somewhere in the agricultural and resources through sms messages. List commands via sms
In the administration panel, I found the username and pass to the FTP server bbc.co.uk, probably one of the employees and uses vedroid received the password via SMS.   Avtorizavavshis I saw that I sufficient rights to see the indigenous Assortment. fundamentally / dumr I found neatly stored data from / etc and in particular the Group; shadows; passwd; 
des is not the most cryptographically strong, and according to this in the next few hours, I began to root rights on the server, as well as private keys of users, which gave an opportunity to connect to the rest of the company servers. As a bonus, I did a screen shot made ​​and merged full backing up system, I want to share with you a part of it:

Later press reports zapestrila the burglary and attempted resale: Friend none of that does not sell, we, the team site priv-8.com, conducted exclusively research which showed three things: 1. No one is immune from human stupidity. 2. Viruses, namely for mobile gadgets is gaining serious obaroty. 3. On BBC were not covered hole for operation from the outside, but my posts on Twitter and e-mail silence reigns. Bit Coin and could not get back to the boat was untied, I spread it on Avery joy in the administrator panel.


Summary

I'm not sure I believe he just found the bbc credentials on that infected phone. Maybe he did, who cares.

We can however thank ReVOLVeR for showing us once again that even for something that costs $4-5k USD on the elite Internet underground, this kit is just another huge pile of garbage.

Mobile malware is just in its infancy. This kind of malware will soon be the norm. Not many people run anti-virus on their phones and are left exposed. Facebook is investing huge amounts of capital to be in the emerging markets where the mobile users are. Cyber criminals see this opportunity as well. 

Citadel / WSO Shell - hajimahmoud.com

hajimahmoud.com
91.223.82.145

http://hajimahmoud.com/arab/xxxx/sysfile.dat

It was listed as a Citadel C&C.

When I got there the Citadel was gone. 

Only thing left was a green WSO shell. 



Looking at the logs we have an IP:
41.138.182.252


It is amazing how many times this network shows up in bad places.

inetnum:        41.138.176.0 - 41.138.183.255
netname:        VISAFONE-LAGOS-PDSN1
descr:          Visafone Communications Limited,
descr:          12, Ologun Agbaje Street,
descr:          Victoria Island,
descr:          Lagos
country:        NG
[NG] Citadel Admin - 41.138.182.252


View Larger Map



I'm thinking about starting a KickStarter fundraiser to go over there and crack some skulls myself. 

[NG] ZeuS & Citadel-as-a-Service

Same Nigerian administrator we have seen before.  Citadel 1.3.5.1 as a service. 

This time he also seems to be offering older 2.0.8.9 ZeuS. 

Why would one do such a thing? Maybe he thinks something is wrong with his copy of v2.1.0.1? Maybe he is testing something? I have no idea. I can only speculate. 


Command & Control Servers:
89.33.0.28
89.33.0.199

IPv4 Network Whois: 
inetnum: 89.33.0.0 - 89.33.3.255
netname: ICS-NETWORKS-SOLUTIONS-SRL
descr: ICS Networks Solutions SRL
descr: I.Creanga 6v
descr: Chisinau 2069
descr: Moldova MD

Each directory appears to be organized by a username. That directory contains the control panel for its unique botnet. We have seen these names before. 

Service:


Smaller server:


"Obi" wins (loses?) this round with 153 bots.
Naughty Obi ...
Citadel 1.3.5.1



Godwin:
50 bots


Bobby:



"Dayo" testing out old ZeuS

DedeNew:


More old ZeuS v2.0.8.9

blah, blah, blah...
 yada, yada, yada....

Kingmaker




Malware samples from this campaign:
nay.exe
be0fd3c79a55542364f04fe2177551c9

nforever.exe
bc994c0f79897dab5f729e9a967790bd

nobi.exe
e5110333f84c118e02e73a3384a7d125

frat.exe
1e3b19c7beb876ca7d2b14ed28098e34

hope.exe
74670eca1e61c63354b2814693986dfe

ndp.exe
fc40be9447fcac34307076bea1173fe0

nmoradeyo.exe
eefef7a2482a2e2536e0d956e3a74589

Notes

Some notes on the Nigerian Admin of this botnet as a Service.






XPERAZ 41.190.3.88



XPERAZ-PC 41.190.2.196





He has VPN software (and at least one VPS) to help him mask his location, but he forgets to turn it on sometimes. You can see he is on the same network we have seen before:

41.190.0.0
inetnum:        41.190.0.0 - 41.190.31.255
netname:        EMTS-20080523
descr:          EMTS Limited / Etisalat Nigeria
country:        NG
admin-c:        AAH2-AFRINIC
person:         Omar Bin Ashoor
nic-hdl:        OBA1-AFRINIC
address:        Everest Court,
address:        Plot 19, Zone L,
address:        Federal Government Layout,
address:        Banana Island,
address:        Ikoyi
address:        Lagos 101241
address:        Nigeria

I have seen them connect from 41.71.190.x network as well. This is VisaPhone NG, a CDMA/3G wireless internet provider. I had connected to one of their machines and see that they connect using a USB wireless network card. Mobile admins.


I have grabbed HTTP logs and grep the "Install" lines before. This shows the IP of the admin who installed these Botnets. Looks to be the same actor here. 

http://protectyournet.blogspot.com/2014/02/nigerian-citadel-on-55613347.html
http://protectyournet.blogspot.com/2014/02/more-nigerian-citadel-as-service.html


'Strings' on the malware samples here:

https://malwr.com/analysis/OGE4YTY4NDk1NmQ5NDlhNWE5MzY5YTBlMTA2NDRjYWQ/
https://malwr.com/analysis/NDVmNzFhMDJjNTRkNGY4MDk2NDZjZTAwN2M2N2JmZjk/

C:\Program Files\XPERAZ-PC\Xpera Z\MsComCtl.oca

This is looking like his build/test environment. Since this machine shows up in logs he must be testing the builds and thats why his machine shows up in the logs of the botnet.

JS Unpack has seen this string too from another campaign.
http://jsunpack.jeek.org/?report=b0e6a26a0e449cb5b56f9d13c77ec72e8c208406
91.214.203.132/service/austin/naustin.exe benign
Benign?
That botnet IP looks familiar. Oh yeah, I took it down. 


Nigerian Citadel Service Admin
Nick/name: Xperaz / Xperiaz
Location: Nigeria