Sopelka botnet started life in May this year and was taken down by end of September. It has been called Sopelka because of the path used in the distribution of binaries and configuration files, and was an odd mixture of variants of the known banking trojans Tatanga, Feodo and Citadel.

This botnet’s objective was the collection of banking credentials from European entities, mostly banks from Spain and Germany, but also Holland, Italy and Malta. In addition, it made use of different mobile components for Android, BlackBerry and Symbian phones. Symbian was the first operating system where this type of malicious component emerged two years ago.

During the botnet’s lifetime there were at least five campaigns and it’s likely that more were carried out. Of the five known campaigns, three of them installed variants of Citadel (versions 1.3.4.0 and 1.3.4.5), another Feodo, and Tatanga was the chosen trojan in the other one. All the Citadel campaigns carried the name “sopelka” (a flute type in Russian) in their download paths for binaries and configuration files, but this was not the case with Tatanga and Feodo.

Campaign	Date	Trojan	Path	Countries
Sopelka1	01/05 30/05	Citadel 1.3.4.0	/sopelka1/file.php|file=citsp1.exe /sopelka1/file.php|file=sopelka1_config.bin	ES,DE, NL
Sopelka2	01/05 30/05	Citadel 1.3.4.0	/sopelka2/file.php|file=citsp2.exe /sopelka2/file.php|file=sopelka2_config.bin	ES
Tatanga	15/06 15/07	Tatanga	/sec/g.php	IT, ES, DE, NL
Feodo	15/06 15/07	Feodo	/zb/v_01_a/in/cp.php	ES, NL, DE, IT
Sopelka3	15/08 27/09	Citadel 1.3.4.5	/sopelka3/file.php|file=citsp3.exe /sopelka3/file.php|file=sopelka3_config.bin	ES, DE

The HTML injects included only the code necessary to reference JavaScript code located on an external server. The server kept at least one file for each entity, in some cases two or three. In this way, the criminals could modify content and injects to their hearts desire without needing to create and distribute a new configuration file for each of their bots. Furthermore, the injection file was not found in an accessible file, as in the following example:

Instead, they made use of a PHP file to control and serve the JavaScript code with a URL in the following format:

The relationship between the use of Tatanga, Feodo and Citadel by the same group of cybercriminals was made because in all configuration files the same URL format could be identified to obtain the external code, using the same path and the file get.php. In fact, all of them were sending the banking credentials to the same panel, a different panel than the specific for each trojan. This control panel stored only banking credentials.

Finally, the "tatangakatanga" string was found in Citadel configs and another kind of URL was detected that could be used to retrieve external JavaScript and has been related to Tatanga since the start:

When the Tatanga trojan emerged, it used a URL with a similar format that contained the word “tatangakatanga”, which was where the name of this new banking malicious code came from:

Security investigators from Shadowserver and Abuse.ch made a sinkhole of some of the specified Citadel domains (autumn.kz, wet.kz, advia.kz), distributing the following statistics about requests that arrived from the infected machines to this investigation:

These graphs show the exact affectation of only German and Spanish users, where on average the group of infected German users was more numerous than the Spanish (almost 60% of Germans in contrast to 38% of Spanish). Besides these two outstanding (by the number of connections) groupings, there were others with a much reduced number, such as those that were formed by connections from Switzerland (2%), Portugal (1%) and Italy (almost 0%). Connections with an origin in the United States, Holland, the United Kingdom, Hong Kong and other countries were almost negligible.

In order to get an idea of the botnet size, during the week when data were collected there were more than 16,000 unique IPs connecting to the sinkhole (taking into account that these IPs were not filtered: NAT, researchers, etc.).

Talking about the mobile components used, in the first campaigns only Android and BlackBerry applications were downloaded, even, in some cases, messages were only sent if the operating system was Android. In contrast, in the latest detected campaign, Symbian had been added to the list of supported operating systems.

The functionality of the application was the same, independent of the target operating system. It was a classic mobile component with the same characteristics that were detected for the first time by S21sec back in September 2010. The aim of the application was to forward messages that arrived at the target telephone. It was able to be administrated through sending SMSs and required no communication by HTTP as in the latest .apk’s.

The list of commands was much reduced from the first versions, it only included these three commands (already mentioned by Kaspersky some months ago):

Also, just after starting up, the malicious application was sending the word “INOK” to the number specified as administrator, while in earlier versions the phrase “App installed ok” was sent. After this, it showed the code "7725486193" to the user, which should be entered in the field created by the HTML inject, and this served to indicate that the application had been installed correctly. In all the applications, the number to which the messages were sent was the same; it was +46769436094, a Swedish virtual number.

As a curiosity, in some of the Citadel binaries a message could be read related to Brian Krebs (well-known technical journalist in the world of cyber-crime) which has already been discussed a few months ago: