Carbanak

Introduction

You are an Europol member and need to track down the mastermind behind a series of online bank robs using a malware that infect banks' networks, Carbanak. For this you will have at your disposal a large variety of tools provided by the FBI and Europol's Security Department.

List of available tools and their usage :

• Bulb : Software allowing reverse engineering of a malware to gather upon data on it's origin, makers, path and procedure.
• Citadel : Software allowing a complete computer scan for Malwares.
• Thor : Software allowing to go on the DarkNet.
• Firecat : Software allowing to go on Internet.
• Wow Text : Software allowing to write code.
• IceWall : Software allowing you to secure a network.

Missions :

• Prologue : You
• Introduction : How it all started
• December 2013, Kiev Ukraine : A local banks' ATMs started to spit-out cash without any credit card being processed. Men with suitcases are there and pickup the cash before leaving[s'enfuir].
• Mission 1.a : You need to use Citadel to search for a malware on employees' computers.
• Mission 1.b : You need to use Bulb to discover more on the malware.
• Mission 1.c : You need to use Wow Text to write a program that checks if Carbanak is present[présent] on the machine.
• Mission 1.d : You need to use IceWall to secure the network.
• Early 2014-2015 : The mysterious group decide to step-up[monter d'un cran], and attack Western Europe. Europol and the European Banking Federation decide to help banks upgrading their security features, and report as fast as possible when Carbanak is detected in their systems. They manage to establish that more than one hundred banks in fourteen countries are affected.
• Mission 2 : You need to use Thor to search the DarkNet for any trace of hackers that would of boasted[vanter] their operations[coups].
• January 2016 : Carbanak now being well know of Europol and antivirus, the group decides to create a new malware, Cobalt. Cobalt is much more powerful and allows even to directly transfer money to the group's accounts and intermediate accounts, that are deleted straight after. By doing it this way, no traces are left behind.
• Mars/April 2016 : Cobalt is tested in both Hong-Kong and Ukraine, by virtually adding money to accounts, and then by sending themselves the ?[trop-plein]. Almost 10 million Euros will be processed to the attackers.
• Mission 3.a : Investigate on how the attackers gained the money and from where.
• Mission 3.b : Find the next victim and set-up a plan to catch them on-the-run[sur le fait/la main dans le sac].
• Like predicted, the First Commercial Bank of Taïwan is victim of an attack. But Taïwan's Police, thanks to your action, follows them to their ?[planque] and arrests a part of the group[une part du group], aswell as getting back a large part of the stolen cash.
• Mission 3.c : You need to examinate the group member's phone to find any information on the mastermind.
• 2017 : Now that you've got an address, Europol and the Spanish Police can now start spying on him. Carlos Yuste, specialised in cybercriminality, is in charge of the spinning[filature].
• Mission 4.a : Discover his identity.
• Mission 4.b : Intercept a call and note what they say.
• Mission 5 : Arrest Denis Katana.

Missions details

Prologue : [Black screen.]

• Voice talking :
• You are Alexandro Van Dart... An Europol employee at the cybercriminality department... You have at your disposal a computer...
• [Computer screen appears in the center of the screen, with standard wallpaper and no desktop icons, taking up 9:10 of the screen.]
• You also have a practical guide...
• [Practical guide appears in the bottom-right of the screen]
• In which new techniques and tips will be unlocked through out the progression... You will have a complete panoply[panoplie] of softwares for any of your uses...
• [Appears on screen the desktop icon of Bulb]
• [A golden halo appears around Bulb's desktop icon]
• Bulb is used to reverse engineer a malware to optain information on it...
• [The golden halo disappears around Bulb's desktop icon]
• [Appears on screen the desktop icon of Citadel]
• [A golden halo appears around Citadel's desktop icon]
• Citadel is used to scan and clean a computer for malwares...
• [The golden halo disappears around Citadel's desktop icon]
• [Appears on screen the desktop icon of Thor]
• [A golden halo appears around Thor's desktop icon]
• Thor is used to navigate on the Darkweb and doggy forums...
• [The golden halo disappears around Thor's desktop icon]
• [Appears on screen the desktop icon of Firecat]
• [A golden halo appears around Firecat's desktop icon]
• Firecat allows you to go on Internet and any legal site...
• [The golden halo disappears around Firecat's desktop icon]
• [Appears on screen the desktop icon of Wow Text]
• [A golden halo appears around Wow Text's desktop icon]
• To write code you will need to use Wow Text...
• [The golden halo disappears around Wow Text's desktop icon]
• [Appears on screen the desktop icon of IceWall]
• [A golden halo appears around IceWall's desktop icon]
• And finally, to secure a computer and it's network, you can use IceWall...
• [The golden halo disappears around IceWall's desktop icon]
• [ADD DESCRIPTION FOR CARBANAK]
• Now, you are the only one who can track down the mastermind behind Carbanak...

Mission 1.a : You have access to an employees screen.

• You need to open File Browser.
• You need to open External Device (:E).
• You need to open Citadel.exe.
• You need to check your practical guide to see your credentials.
• You need to login with your credentials.
• You need to click on Scan.
• You will get a list of 4 malwares :
• Kuba.bin - Steels email address for later phishing - Author arrested
• tro.jan - Saves browser's history and passwords - Author arrested
• Carbanak.exe - Unkown - Unknown
• OI.boy - Keylogger - Author not arrested
• You can click on any of the malwares to see further details :
• Name : Kuba.bin
• Path : C:\Users\Mark\Programs\ForsaRacing-Crack\bin\src\lib\kuba.bin
• Situation : Author Arrested (Michael Downhill)
• Description : Exploits Lindows' 0x2921 vulnerability to get the list of all email address and sends them to an automated bot that starts flooding mailbox with phishing emails.
• ----------
• Name : tro.jan
• Path : C:\Users\RobertGamer\Documents\GoodMail\Inbox\web-downloads\tro.jan
• Situation : Author arrested (John Pumpkind Senior)
• Description : tro.jan uses Loogl's WebCache Indexing to obtain an MD5 hash of the user's passwords, and bruteforces them using the victim's machine, before sending them to the author.
• ----------
• Name : Carbanak
• Path : C:\Programs\FireCat\r-downloads\carbanak.exe
• Situation : Unkown
• Description : Unknown, probably downloaded from the internet or in a phishing mail.
• ----------
• Name : OI.boy
• Path : C:\Lindows\Drivers\packages\x64\data\src\oi.boy
• Situation : Author not arrested
• Description : Acts like a driver to gain access to the keyboard inputs before saving it, and submitting it to an IA that extracts important strings and sends them to the author.
• You need to click on kill next to the Carbanak malware (or even all of them).
• You need to take notes on the Carbanak malware.

Mission 1.b :

TODO

• Make Wow Text UI
• Make IceWall UI
• Fix Citadel UI (5 selections, but should only be 4)

DONE

• Make Bulb icon and UI
• Make Citadel icon and UI
• Make Thor icon and UI
• Make Firecat icon and UI
• Make Wow Text icon
• Make IceWall icon
• Make File Browser icon and UI
• Make Screen UI
• Make NoteBlock UI

Functionning

• Each software must have :

1. A name
2. A description
3. An icon
4. A code-data (required by Bulb)

• Each site must have :

1. An IP
2. A content (Text with the website's text)
3. A title
4. A locked or not status (for further needed progress)