Guys of JPCERT, 有難う御座います！ Released an update to their Citadel decrypter to make it compatible with 0.0.1.1 sample. Citadel 0.0.1.1 don't have a lot of documentation, so time as come to talk about it. Personally i know this malware under the name 'Atmos' (be ready for name war in 3,2,1...)   The first sample i was aware is the one spotted by tilldenis...

Some of you know Betabot.. if you don't: http://www.ic3.gov/media/2013/130918.aspx1.0.2.5 panel:Dashboard:extended information:Search options:Tasks:Remove bot:Terminate bot till next reboot:Botkill:Socks4:Set browser homepage:Visit URL option:Update bot option:Download file option:DDoS cmd option:Formgrabber logs:logins:users:Settings:IP blacklist:List...

lll

I got on my hands recently the source code of Alina "sparks", the main 'improvement' that everyone is talking about and make the price of this malware rise is the rootkit feature. Josh Grunzweig did already an interesting coverage of a sample, but what worth this new version ? InjectedDLL.c from the source is a Chinese copy-paste of http://www.cnblogs.com/lzjsky/archive/2010/12/01/1892702.html...

Consuella was a 'USPS drop service' run by one of the Lampeduza administrator. This type of service is used to help credit card thieves to "cash out" by sending carded labels service overseas (or not) via USPS. They was also constantly recruiting mules in United states to keep addresses in rotation. Here is what look like the service from an admin...

When Cryptorbit ransomware was targeting people i've visited them SQL database: Bad guy wallets: 1H6jc6Mz535zTts6DWdeJf3HdH4owGjsXo 15JTKDkU4U6Tn5MBc9Pt52mMzXDmvmaanR 18yP3oKzeqChWCYG2ZGPcBhMQBiXFeR2GF 17FSkXDULjtK6R9G3cpwmLMYbWRZJ9c8vZ 1KZvxpPzvkSCqm3VTffWBWcLumWK1KJfkK Pseudo decryptor ~ 4a8e11468649e045976574691cf53732